Due to weak server-side checks, we are able to easily circumvent the image-only restriction and upload a file type of our choice. The application code only checks for content types matching image/jpeg, which is easily modified with an intercepting proxy such as Burp. Developers need to simultaneously whitelist both content-type as well as file extensions in the application code to prevent this type of exploit from occurring.