fix
- Not using JavaScript as a validation tool
Vulnerability analysis
This question is about whitelist detection. It is necessary to analyze whether it is a front-end inspection or a back-end inspection.
As shown in the figure: It can be found that no data is sent during detection, and it can be judged that this is a front-end detection.
Then check the source code of the page
and you can see that it is based on js verification, so you can try to disable JavaScript.
Of course, you can also try to let him pass the verification first, and then modify it at the transport layer
problem solving ideas
Idea 1 - camouflage suffix
The data intercepted by burp is like this, indicating that it recognizes the file extension and does not detect the file content.
accomplish
Idea 2 Disable JavaScript
JavaScript is executed locally, not in the cloud. It is executed by the JavaScript engine of the local browser.