Enhance WSTG-BUSL-09 - Upload of Malicious Files

[DotDotSlashRepo]

What's the issue? This is an enhancement request. Test Upload of Malicious Files can be enhanced through following suggestions.

• [ ] 1. Filter Evasion : Add magic byte based evasion to bypass weak content validation
• [ ] 2. Filter Evasion: Add metadata based malicious payloads, which can be triggered if uploaded file is included by the web server.
• [ ] 3. Malicious File Contents - Other File Formats : Add attacks on SVG(XXE), HTML(XSS), GIF(XSS)
• [ ] 4. Malicious File Contents - Zip : Add attack on Zip Slip
• [ ] 5. Malicious File Contents : Add a new sub section on upload of configuration file such as .htaccess, web.config etc
• [ ] 6. Tools - Add burpsuite extension - Upload Scanner - https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa

How do we solve it? Content needs to be updated to accommodate these enhancements.

Would you like to be assigned to this issue? Check the box if you will submit a PR to fix this issue. Please read CONTRIBUTING.md.

• [x] Assign me, please!

[ThunderSon]

Hello! I will be reviewing this week and discussing the above suggested points. Thanks for going into a detailed discussion about this matter. There is now conflicting interest in some cases with INPV-11.1 - Local File Inclusion. We'll try to get down on this the soonest, as the team is still coming back from the holidays.

@kingthorin @jespunya @RiieCco your input would be valuable on this matter, as your free time allows.

[kingthorin]

Ran across this yesterday: https://mobile.twitter.com/hunter0x7/status/1346397333072846848 seems relevant to this topic.

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[alexlop29]

Hi! I'd like to work on updating several sections of WSTG-BUSL-09.