Send arbitrary files to arbitrary URLs using HTML5's FileSystem (works on Chrome-ish browsers)

This tool shows, how Upload CSRF can be exploited using the HTML5 FileSystem API. This means, you can for instance make an XSS via uploaded filename be remotely exploitable. In other words, the "file" we upload is being generated in the DOM and we can pick almost arbitrary content and filenames, even those containing ">" and "<". The whole process can be automated of course. An attacker can lure a victim on a website and this website will "upload" a "file" across domains using the victim's credentials.

« URL
« filename
« content

If you control the server you send data to, this might help you debugging:

<?php
    session_start();
    echo session_id();
    file_put_contents(session_id(), serialize($_REQUEST).serialize($_FILES));
?>