hey what's up guys hacksplain here today we're going to have a look at the upload size challenge now the description says we should upload a file which is larger than 100 kilobytes and this falls under the improper input validation challenges so let's scroll up a little bit and see where we do have an upload functionality and i actually already scouted the website a little bit and i found that under the complaint section over here we can upload an invoice and there's a browse button right over here so let's try to upload a file i'm having
a file over here which is called doc one pdf i'll put down a message saying astf it doesn't really matter i will submit this and yep we are getting a message saying customer support will get in touch with you soon your complaint reference is number two and if we have a look at that we see that there was a post request going out to slash file minus upload and you can see the pdf upload right down below here so all that red stuff is the pdf that i was sending to the web server and you
can see over here that i was sending an application pdf content type so what happens if i send a file which is a little bigger so now i'm trying to send a file which is bigger than 100 kilobytes as you can see over here and the client-side controls right now actually only allow me to upload a file which has a maximum of 100 kilobytes so what can we do in order to circumvent the client-side controls that's pretty easy we go back to burb we're still having this request open that is needed to upload a file
we click on control r to send this request to a repeater we check out repeater we can set this again just to check if it still works it does and it responds with a 24 no content response so instead of sending this file right now which is smaller than 100 kilobytes let's try to send one which is bigger so i'm going to open up notepad right now and open the the bigger pdf file in notepad and copy it straight into burp's repeater all right so you can see that i'm having doc to pdf open notepad
and it basically looks like a lot of garbage because notepad cannot render a pdf file but what we can do is we can just copy all the information all the data and move over here to burps repeater and now we gotta substitute all that information which we find over here so i'm scrolling down to the very bottom of the request and if we're finished which will happen in just a bit right now we will delete that and fill in our new content so now i'm uploading a file which is bigger than 100 kilobytes now we'll
just go ahead and click on send and what we see over here is that we're receiving a 204 no content response once again which kind of means that the file was uploaded and if we check back to os2 shop we can see that we've successfully solved the challenge which is upload size upload the file larger than 100 kilobytes so that was it for today so you should have learned that you should never trust client-side controls as a company or if you are on the attacker side make sure to circumvent client-side controls by using a tool
like burp suite alright thank you for watching subscribe in the top right corner and yeah check out all my other videos [Music] you
