libmagic-type-confusion
OfficialEvade libmagic upload type checks to smuggle files.
System Documentation
What problem does it solve?
Applications that use libmagic or the file command to validate uploaded file types block dangerous formats like HTML, SVG, and executables to prevent attacks. This Skill enables you to bypass these validation checks by exploiting libmagic's JSON nesting depth limit to cause type confusion, allowing you to test if malicious file types can reach downstream processing pipelines.
Core Features & Use Cases
- libmagic Usage Detection: Identifies if a target application uses libmagic, python-magic, finfo, or related bindings for file type validation.
- Payload Generation: Creates deeply nested JSON payloads embedded with target file signatures (e.g., PDF, HTML, SVG) that trick libmagic into misidentifying the file type.
- Use Case: Use this Skill during authorized red teaming engagements to test if your organization's file upload functionality can be exploited to smuggle executable or scriptable content past MIME checks and into trusted processing pipelines.
Quick Start
Use the libmagic-type-confusion skill to generate a deeply nested JSON payload that tricks the target's libmagic-based upload validator into misidentifying a PDF file as JSON, then upload it to the target's file upload endpoint to test if the PDF reaches the downstream processing pipeline.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: libmagic-type-confusion Download link: https://github.com/dreadnode/capabilities/archive/main.zip#libmagic-type-confusion Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 537,000+ vetted skills library on demand.