File upload lfi cheatsheet

[NotaScripptkiddie]

You're A Rockstar

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as [TEXT](URL)
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR fixes issue #1883.

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

• I have NOT used any AI tool to generate the contents of this PR.
• I have used AI tools to generate the contents of this PR. I have verified
  the contents and I affirm the results. The LLM used is [Claude Sonnet4.5]
  and the prompt used is [your prompt here]. [Feel free to add more details if needed]

Thank you again for your contribution 😃

[NotaScripptkiddie]

Thank you for considering this contribution! This cheat sheet combines guidance on secure file upload handling and Local File Inclusion prevention, which are often interconnected security concerns. I created this comprehensive guide to help developers implement secure file handling practices while being aware of related LFI vulnerabilities.

Key highlights of this cheat sheet:

• Covers both file upload security and LFI prevention in one place
• Provides practical mitigation strategies
• Includes code examples for proper implementation
• Addresses common attack vectors

I'm open to any feedback or suggestions to improve the content and make it more valuable for the community.

[jmanico]

This is a lot! It's awesome! Give us time to review this.

[NotaScripptkiddie]

Thank you so much for taking the time to review this! 🙏
I really appreciate your kind words and will patiently wait for your detailed feedback.
Please let me know if there’s anything I can improve or adjust.☺️

[mackowski]

@NotaScripptkiddie please review more carefully LLM generated content. Before we start review please:

1. remove /pr_body
2. remove ````markdown
3. review and fill "Checklist for contributor" including "Markdown Link Check" and your LLM prompts

[Copilot]

Pull Request Overview

This PR adds a new comprehensive cheat sheet covering File Upload vulnerabilities and Local File Inclusion (LFI) attacks to the OWASP Cheat Sheet Series. The guide provides both defensive guidance for developers and testing methodologies for security professionals.

Key Changes:

• Introduces detailed coverage of file upload bypass techniques including extension manipulation, MIME type spoofing, magic byte manipulation, and polyglot file creation
• Provides secure PHP implementation examples for file upload handling and file serving with multiple validation layers
• Documents attack vectors and defensive measures aligned with OWASP Top 10 2021 categories

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

File	Description
cheatsheets/File_Upload_and_Local_File_Inclusion_Cheat_Sheet.md	New comprehensive cheat sheet covering file upload security, bypass techniques, secure implementation patterns, and defensive coding practices
.pr_body.md	PR description template with contributor checklist and metadata for submission

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[NotaScripptkiddie]

Hi @andrzejsydor,

Thank you for reviewing my PR! I'm a beginner in pentesting and I created this cheatsheet to help me with my own testing work. I thought it would be useful to share it with the OWASP community so others can benefit from it too.

I see that my PR is currently blocked with "2 requested changes" but I'm not entirely sure what needs to be fixed. Could you please help me understand:

1. What specific changes do I need to make?
2. Are there formatting issues I need to address?
3. Is there anything wrong with the content itself?

I want to make sure I address all your feedback correctly. I'm eager to learn and contribute properly to this project.

Thank you for your patience and guidance!

[szh]

Hey @NotaScripptkiddie,
As @mackowski said, please fill out the PR checklist (including the AI Tool Usage Disclosure).
Also we already have a File Upload cheat sheet. Can you please explain how this is different and why it makes sense to create a new one rather than update the existing one?

[NotaScripptkiddie]

Hi @szh and @mackowski,

Thank you for the feedback!

AI Tool Usage Disclosure

✅ Yes, I used Claude AI to help structure and format the content to match OWASP standards. The technical research is mine, but AI assisted with organization and formatting.

Regarding Duplicate Content

You're absolutely right - I should have checked the existing File Upload cheat sheet first. My apologies for the oversight.

After reviewing the existing cheat sheet, I see this PR has significant overlap. However, there are some unique areas:

Unique Coverage:

• Polyglot file creation techniques (image+PHP hybrids)
• LFI+File Upload combination attacks
• PHP wrapper exploitation (php://filter, php://input, data://)
• Log and session poisoning techniques
• Detection and monitoring strategies

Proposed Solution

Would it make more sense to:

1. Update the existing File Upload cheat sheet with the polyglot/LFI sections?
2. Create a separate LFI Cheat Sheet (since that's the more unique content)?
3. Close this PR if the content doesn't add sufficient value?

Full Transparency

I'm aspiring to be a GSoC OWASP 2026 student contributor. This PR was my attempt to contribute meaningful content while learning the contribution process. I understand I should have researched existing content first, and I'm committed to making valuable contributions rather than just adding noise.

What direction would you recommend?

Thanks for your guidance!

[mackowski]

@NotaScripptkiddie most bigger open source projects have "contributor guideline" or "contributing rules". Here is ours https://github.com/OWASP/CheatSheetSeries/blob/master/CONTRIBUTING.md. I suggest to always review that and later fllow it.
In this case - please create an issue where we will discuss this proposal.
I will close this PR because it is not following contributor guideline, but I am encouraging you to read it and create an GitHub issue.