File upload lfi cheatsheet

.pr_body.md

@@ -0,0 +1,55 @@
+Title: Add File Upload and Local File Inclusion Cheat Sheet
+
+Description:
+This PR adds a new cheat sheet: "File Upload and Local File Inclusion Cheat Sheet" to the `cheatsheets/` directory.
+
+Summary of changes
+- Adds `cheatsheets/File_Upload_and_Local_File_Inclusion_Cheat_Sheet.md` — a combined, detailed guide covering:
+  - secure file upload practices and server-side validation
+  - common bypasses (extension, MIME, magic bytes, polyglots)
+  - Local File Inclusion (LFI) attack techniques and PHP wrapper exploitation
+  - LFI -> RCE workflows (log/session poisoning, php://input, data://, etc.)
+  - server & application hardening recommendations (php.ini, webserver configs)
+  - detection/monitoring and incident response checklists
+
+Why this change
+- Provides thorough guidance for developers, operators, and security teams on both preventing and testing file-upload and LFI risks. It complements the existing `File_Upload_Cheat_Sheet.md` by adding deeper LFI testing, exploitation examples, and remediation patterns.
+
+Notes for reviewers
+- There is some overlap with `cheatsheets/File_Upload_Cheat_Sheet.md`; please advise if maintainers prefer:
+  - keeping both files (separate concerns: upload vs. LFI),
+  - merging LFI sections into the existing File_Upload cheat sheet, or
+  - refactoring to remove duplicated material and keep one canonical guide.
+- I did a quick scan for obvious secrets and none were found, but please run CI and a secrets check in your review flow.
+- If you prefer the content split differently (shorter cheat sheet + companion LFI doc), I can refactor as requested.
+
+Checklist for contributor (please update/check before submitting)
+- [ ] I used the project cheat sheet template (see `templates/New_CheatSheet.md`) or confirmed formatting matches the project's guidance.
+- [ ] All markdown files pass the repository's Markdown Link Check CI.
+- [ ] All markdown files follow the format rules in `CONTRIBUTING.md`.
+- [ ] All referenced assets (images) are stored in `assets/` and are PNGs (if applicable).
+- [ ] External references are formatted as `[TEXT](URL)`.
+- [ ] I verified the defensive code shown (snippets) are valid examples and tested where appropriate.
+- [ ] I ran a quick scan for secrets and none were found in this change.
+
+CI & PR instructions
+- This branch is `NotaScripptkiddie:file-upload-lfi-cheatsheet` and was pushed to origin. To open a PR against upstream use the GitHub UI or the GitHub CLI.
+
+AI Tool Usage Disclosure
+The repository requests disclosure for AI usage. Fill this section according to your contribution process. Example placeholder below — please replace with accurate info before submitting.
+- [ ] I have NOT used any AI tool to generate the contents of this PR.
+- [x] I have used AI tools to generate or edit parts of the contribution (for example: commit message, PR body, editorial fixes). I have verified the content.
+  - LLM: [ENTER LLM NAME & VERSION HERE]
+  - Prompt: "Prepare a clear PR body for a new cheat sheet file that adds File Upload and LFI guidance to OWASP Cheat Sheet Series. Include summary, reviewer notes, checklist, and AI disclosure placeholders."
+
+If this PR is related to an issue, append a line like:
+This PR fixes issue #<REPLACE WITH ISSUE NUMBER>
+
+----
+You can use this file with the GitHub CLI:
+
+```powershell
+gh pr create --title "Add File Upload and Local File Inclusion Cheat Sheet" --base master --head NotaScripptkiddie:file-upload-lfi-cheatsheet --body-file .\.pr_body.md
+```
+
+Replace `--base master` with `--base main` if upstream uses `main` as the default branch.