File Upload Security Testing Cheat Sheet

x32x01
  • by x32x01 ||
File upload functionality is one of the most dangerous features in web applications if not properly secured. Attackers often target upload forms to gain remote code execution, bypass validation, or upload malicious files.
This comprehensive file upload security cheat sheet will help you assess file upload functionality, test vulnerabilities, validate inputs, and ensure secure file handling in modern web applications.
If you're learning penetration testing, ethical hacking, or web security, mastering file upload testing is essential 🚀

Why File Upload Security Matters ⚠️​

Poorly secured file upload systems can lead to:
  • Remote Code Execution (RCE)
  • Web Shell Upload
  • Malware Hosting
  • Cross-Site Scripting (XSS)
  • Storage Abuse
  • Denial of Service (DoS)
Many real-world data breaches start from weak file validation logic.


Step 1: Test File Type Validation 🧪​

One of the first things to check is how the application validates file types.

🔍 What to Test:​

  • Does it validate by extension only?
  • Does it check MIME type?
  • Does it inspect file content (magic bytes)?
  • Is validation done client-side only?

🚨 Common Bypass Techniques​

  1. Change file extension: shell.phpshell.php.jpg
  1. Use double extension: shell.php.jpg
  1. Null byte injection (older systems): shell.php%00.jpg
  1. Change Content-Type header manually in Burp Suite: Content-Type: image/jpeg
Always test using a proxy tool to intercept and modify requests.


Step 2: Test for Executable File Upload 🐚​

Try uploading files that could execute code on the server.
Example PHP web shell:
PHP: 
<?php system($_GET['cmd']); ?>
If uploaded successfully and accessible via browser:
Code: 
http://target.com/uploads/shell.php?cmd=id
This indicates a critical Remote Code Execution vulnerability.


Step 3: Check for MIME Type Validation 🎭​

Some applications only check MIME type in the request header.
Using a proxy like Burp Suite, change:
Code: 
Content-Type: application/x-php
To:
Code: 
Content-Type: image/png
If the upload succeeds, the server relies only on client-provided headers - which is insecure.


Step 4: Test File Content Validation (Magic Bytes) 🔬​

Secure systems verify file signatures (magic bytes).
Example of valid PNG header:
Code: 
89 50 4E 47 0D 0A 1A 0A
Attackers sometimes prepend valid image headers to malicious scripts to bypass checks.


Step 5: Test Upload Path & File Access 📁​

After uploading, test:
  • Is the file stored inside the web root?
  • Can it be accessed directly via URL?
  • Is directory listing enabled?
  • Are uploaded files renamed?
If files are accessible directly, risk increases.
Example test: http://target.com/uploads/filename.ext


Step 6: Test File Size Restrictions 📦​

Upload:
  • Very large files
  • Highly compressed files (ZIP bombs)
  • Nested archive files
ZIP bomb example concept:
A tiny compressed file that expands to huge storage size, causing DoS.


Step 7: Test for Path Traversal in File Name 🚧​

Try modifying filename parameter: ../../shell.php
If the application doesn't sanitize filenames, it may overwrite sensitive system files.


Step 8: Test for Image Processing Vulnerabilities 🖼️​

If the application resizes or processes images:
  • Check for ImageTragick vulnerabilities
  • Test malformed EXIF metadata
  • Try embedding payload inside image metadata
Example EXIF injection concept:
Code: 
exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg


Step 9: Check for Overwrite Vulnerability 🔁​

Upload a file with same name twice.
If the server overwrites existing files without warning, this may allow:
  • Defacement
  • Stored XSS
  • Replacement of legitimate files


Step 10: Review Server-Side Validation 🔒​

Developers should:
  • Validate extension
  • Validate MIME type
  • Validate file signature
  • Rename uploaded files
  • Store files outside web root
  • Disable execution in upload directory
Example Apache configuration:
Code: 
<Directory "/var/www/uploads">
    php_admin_flag engine off
</Directory>
This prevents PHP execution inside upload folder.


Secure File Upload Best Practices for Developers 🛡️​

If you're building secure web apps, follow these rules:
  • Use allow-list instead of block-list
  • Restrict file extensions
  • Enforce size limits
  • Rename uploaded files
  • Scan uploads with antivirus
  • Store outside public directory
  • Set correct permissions
  • Log upload activity
Never trust user input - including files.


Common File Upload Vulnerabilities 🔥​

During penetration testing, look for:
  • Unrestricted File Upload
  • RCE via web shell
  • Stored XSS via HTML upload
  • Path traversal
  • File overwrite
  • Insecure direct object references
These are common in bug bounty programs.


Final Thoughts 🎯​

File upload functionality is one of the most critical attack surfaces in web applications. Whether you're a penetration tester, ethical hacker, or developer, understanding file upload security is essential.
Always test responsibly in authorized environments only.
Mastering file upload testing will significantly improve your web application security assessment skills 🔐💻
 
Last edited:

Related Threads

x32x01
Hacker Symbols: Guide to Special Characters!!
  • x32x01
Replies
0
Views
596
x32x01
x32x01
x32x01
Real Phishing Examples and How to Stay Safe
  • x32x01
Replies
0
Views
340
x32x01
x32x01
x32x01
Remcos RAT Spread via Adult Games Malware
  • x32x01
Replies
0
Views
1K
x32x01
x32x01
x32x01
Online Cyber Security Training Guide
  • x32x01
Replies
0
Views
1K
x32x01
x32x01
x32x01
RustScan Ultra Fast Port Scanner Explained
  • x32x01
Replies
0
Views
313
x32x01
x32x01
TAGs: Tags
bug bounty file upload security input validation mime type bypass owasp top 10 path traversal penetration testing remote code execution web application security web shell testing
Register & Login Faster
Forgot your password?

Latest Posts

Latest Resources

Forum Statistics
Threads
745
Messages
750
Members
71
Latest Member
Mariaunmax
Back
Top