My Pentest Log -21 — (Content-Type Checks)

Hamit CİBO
3 min readJun 6, 2022


Greetings everyone from Porta Platea,

In this article, I would like to inform you about a situation I encountered during the tests I carried out on the file upload area.

1. I received the necessary information for the “” tests to be carried out by our project manager.

2. I verified the “scope form” right after the disclosure process.

3. I completed the discovery steps on the target application and started the security tests.

4. After some vulnerabilities were detected, I started special tests on the file upload area in the application. Why specifically?

File upload areas have a very important place in application security. The reason for this is that a vulnerability may cause harmful files to be uploaded to the server, allowing us to obtain a shell.

5. Based on this, I wanted to perform the last check in my checklist after applying various file upload attacks.

Check name : Content-Type Attacks Checks

Our purpose in this control is to determine whether a blacklist-based or white-list-based security measure is taken on the relevant application. If there is a blacklist based control, it is more likely to be bypassed than a whitelist. If it is whitelist, it should try to overcome with much more advanced techniques. Based on this, I created a detailed list by searching mime-types on google. I collected about 1617 mime-type variants and saved them in a small txt list.

Our aim here is to understand which file formats are accepted and which are not, by testing the mime-types in this list one by one on the content-type header in the file upload area of ​​the relevant application. If the application returns false for all of them, it will most likely have taken a whitelist-based security measure, which will lead us to create attack vectors over accepted formats.

6. By adding the “content-types.txt” file that I created to the intruder via the burp suite software, I started the trial and error process on the “Content-Type” header belonging to the relevant application, and as I guessed, a black list-based control was applied on the application. I found that only certain format files are blocked and the rest can be loaded easily.

7. Starting from here, I was able to successfully load the application by creating a small command output over a content-type that is not controlled by the application and read the output of the command.

8. I finished the day with high motivation by adding the relevant finding and evidence to our safety report.

In summary:

While testing various features on applications, you can detect various vulnerabilities by applying more attack vectors without giving up.



Hamit CİBO

Penetration Test Specialist | Tout a commencé avec un paramètre