Academy - Whitelist Filters

I got some problems with the Whitelist Filters module question. I tried to use different techniques and got many alternative solutions to bypass the filters getting the “successful upload” message. The problem seems that the “successful upload” doesn’t correspond to an effective upload of the file into the profile_images folder.

Need some hint…

Never mind. Solved rewriting the wordlists.
Sometimes we need to go back to the beginning of the journey to find the right track…


Hello, my congrats :slight_smile:
Can you please help with this?
I get OK result on upload files with those symbols, but don’t know how to send request with some already URL encoded chars, as %0a, etc…

You’ve used browser and URL encoded all the string to make request? curl only downloads php page :frowning:

The same, my problems were in unticking checkbox with URL encoding in Burp and I haven’t knew not blacklisted extention
Use only this one from previous exercise and be happy :slight_smile:

1 Like

Replying to this because it’s the first thread on this part of the module I found. Just wanted to give my advice to anyone who is doing this one. Use the ZAP Fuzzer, not Burp Intruder. There will be about 500 requests you have to send and Burp will take its sweet time. ZAP can go through all of them in just a second or two.