For Docker users:
./gunner.py --recipe bypass_nginx.yaml --target http://target.com/upload Case Study 1: Bug Bounty Hunting A security researcher used the Gunner against a corporate "Support Ticket" system. The project's extensions-mutations payload set discovered that the server blocked .exe but allowed exe. (trailing dot). By uploading a malicious executable with a trailing dot, the researcher achieved remote code execution (RCE), earning a $5,000 bounty. Case Study 2: CI/CD Pipeline Integration A fintech startup integrated the FileUpload Gunner Project into their GitLab CI pipeline. Every pull request that modified file upload logic triggered a Gunner scan against a staging environment. The pipeline caught a regression where a developer accidentally disabled MIME type verification, preventing a critical vulnerability from reaching production. fileupload gunner project
# .gitlab-ci.yml snippet gunner-scan: stage: security script: - docker run fileupload/gunner --target $STAGING_URL/upload --exit-on-failure only: - merge_requests If you are defending an application, running the Gunner against yourself is the best education. Here is how to harden your uploader against its most common attacks: 1. Defeat Double Extensions Do not just split on the last dot. Use path.Ext() (Go) or os.path.splitext() (Python) and reject any filename with multiple dots unless it’s a known safe pattern (e.g., .tar.gz ). 2. Bypass MIME Spoofing Never trust Content-Type headers. The Gunner will send image/jpeg but with PHP content. Instead, use file --mime-type (Unix) or a library like filetype to read the magic bytes of the actual file stream. 3. Handle Null Bytes The Gunner loves shell.php%00.jpg . In languages like PHP, this used to truncate the string. Always sanitize filenames: For Docker users:
filename = filename.replace('\x00', '') Some Gunners send malformed Content-Disposition headers. Use a strict parser (e.g., the mime package in Go) rather than regex. Performance Tuning and Scaling The FileUpload Gunner Project can be resource intensive. To run large campaigns (100,000+ payloads): By uploading a malicious executable with a trailing