In this recipe, we used Burp Suite as a proxy to capture a request after it passed the validation mechanisms established client-side by the application, that is, in the browser, and then modified such request content by changing the Content-Type header and used that to bypass the file type restrictions in the application.

Content-Type is a standard HTTP header set by the client, particularly in POST and PUT requests, to indicate to the server the type of data it is receiving. It's not uncommon for web applications to use this field and the file's extension to filter out dangerous or unauthorized types in applications that allow users to upload files. As we just saw, this sole protective measure is insufficient when it comes to preventing a user to upload malicious content to the server.

Being able to intercept and modify requests is a highly important aspect of any web application penetration test, not only to bypass some client-side validation—as we did in this recipe—but to study what kind of information is sent and to try to understand the inner workings of the application. We also may need to add, remove, or replace some values for our convenience based on that understanding.