When you need to test file upload endpoints beyond just "does it accept .php," this is the playbook. It walks through the four trust boundaries of accept, store, process, and serve, which is the right mental model because bugs usually hide in a different stage than where you uploaded. You get validation bypass patterns (double extensions, polyglots, magic byte tricks), processing chain attacks (ImageMagick, FFmpeg, zip slip), and the authorization gaps that live in direct object URLs and cross-tenant paths. It routes you to companion skills for XXE in SVG imports, path traversal in archive extraction, and XSS in filename reflection. Honest take: if you're only checking upload success without testing retrieval and background processing, you're missing the actual impact.
npx skills add https://github.com/yaklang/hack-skills --skill upload-insecure-files