Lab link.
If the application has taken precautions for the file extension, there are several ways to bypass this precaution. In this lab, we use the null byte method to bypass the file extension blocking.
In Requesat’s response, we see that our file was uploaded correctly.
In the GET /files/avatars/ we correct our file name and access the code.