#penetration-testing

The File Upload That Looked Safe — Until I Changed One Request Header

The file upload form had validation. It checked the file type, rejected anything that wasn't an image, and showed a helpful error message. The check ran entirely in the browser.