File Upload Vulnerabilities
1 Global Definition
A file upload vulnerability occurs when an application improperly handles files submitted by users. Attackers can exploit this flaw to upload malicious files such as web shells, malware, or executable code. This often leads to remote code execution, data theft, or complete system compromise.
1.1 Common Attack Scenarios
-
Web Shell Upload: Uploading a PHP, ASP, or JSP script disguised as an image or document.
Example:
shell.php.jpg - Malware Distribution: Uploading trojans, ransomware, or viruses for unsuspecting users to download.
- Denial of Service (DoS): Uploading large files to exhaust server resources.
-
Overwriting Critical Files: Exploiting path traversal to replace important server files.
Example:
../../../../../etc/passwd -
Bypassing Validation: Exploiting weak content-type checks by modifying headers like:
Content-Type: image/png
1.2 Real-World Impact
- Remote Code Execution: Attackers gain full control of the server through a malicious script.
- Data Breach: Uploaded files used to extract sensitive data such as credentials, databases, or API keys.
- Privilege Escalation: Malicious uploads exploited to gain administrator rights.
- Brand Damage: Attackers may host phishing pages or illegal content using the vulnerable site.
- Compliance Violations: Breach of GDPR or other standards.
1.3 Exploitation Techniques
-
Renaming files with double extensions to trick filters:
image.jpg.php - Exploiting weak MIME type validation by modifying HTTP requests.
-
Using Unicode or null-byte injection (
%00) to bypass file extension checks. -
Exploiting predictable upload directories to access files directly:
http://example.com/uploads/malicious.php - Crafting malicious image files containing embedded code (e.g., PHP in EXIF headers).
1.4 Defense Strategies
-
Restrict uploadable file types to only safe formats (e.g., images:
.jpg,.png). - Validate both file extension and MIME type.
- Store files outside the web root to prevent direct access.
- Rename uploaded files and use random identifiers to avoid overwriting and direct access.
- Implement content scanning with security tools.
- Enforce strict size limits to prevent DoS attacks.
1.5 Why It Matters
File upload vulnerabilities are one of the most dangerous flaws in web applications. A single malicious upload can lead to full server compromise, defacement, or data exfiltration. These vulnerabilities are frequently exploited in the wild and remain a top priority in penetration testing engagements. Proper validation and secure handling of uploaded files are essential for defending web systems.