📌 What is a File Upload Vulnerability?

A file upload vulnerability arises when an application improperly validates user-uploaded files, allowing attackers to upload malicious files. This can lead to data leaks, system compromise, or even complete server takeover.

🚪 Bypass Techniques for File Upload Protections

1. No Restrictions

Legacy systems may allow any file type. Attackers can directly upload a web shell such as:

<?php echo system($_GET['cmd']); ?>

2. Client-Side Validation Bypass

Using tools like BurpSuite, attackers can modify HTTP requests to change file types and bypass HTML validations like accept="image/*".

3. Extension Blacklist Bypass

• PHP: .php, .php5, .phtml, .phar
• ASP: .asp, .aspx
• JSP: .jsp, .jspx

4. Whitelist Bypass

• Double extensions: shell.php.jpg
• Case manipulation: shell.PHp
• Null byte injection: shell.php%00.png

5. MIME Type Spoofing

By modifying the Content-Type header, an attacker can trick the server into accepting malicious files.

6. Magic Bytes Trick

Files are crafted with the correct magic bytes (e.g., PNG signature) followed by malicious code.

7. File Overwrite

Using path traversal, attackers can overwrite sensitive files such as .htaccess.

💣 Potential Attacks via File Upload

• Metadata Leakage: Exfiltration via EXIF, GPS, or document metadata.
• CSV Injection: Commands injected into spreadsheets via =cmd|' /C calc'!A0.
• Open Redirect: Uploaded files redirecting to malicious websites.
• File Overwrite: Overwriting core files to alter server behavior.
• Path Traversal: ../../../../etc/passwd to escape upload directories.
• Server-Side Injection: Injecting SQL or command strings inside files.
• XSS: Scripts inside SVG or HTML files causing JavaScript execution.
• XXE: Malicious XML files reading local files or making network requests.
• SSRF: File uploads that force server to make internal HTTP requests.
• Large File DoS: Uploading massive files to exhaust server resources.
• Pixel Flood: Over-sized images crashing image processing libraries.
• ImageTragick: RCE via ImageMagick with crafted .mvg files.
• Remote Code Execution: Uploading and executing server-side scripts.
• Malware Upload: Files carrying viruses, ransomware, or worms.
• Zip Slip: Archive files with directory traversal on extraction.

✅ Mitigation Techniques

• Use strict extension and MIME whitelisting
• Inspect file magic bytes and content type
• Rename uploaded files and remove dangerous metadata
• Upload to a non-executable folder
• Limit file size and number of uploads
• Disable script execution in upload directories
• Use external antivirus and sandbox scanning
• Restrict file parsing libraries to safe formats only