Systematic Approach to Identifying and Mitigating Upload-Based Risks
Byline:
By N0aziXss | Security Researcher | HackerOne & BugCrowd Validated
Introduction:
Why File Upload Testing Matters File upload is one of the most frequently attacked functionalities in web applications. Profile pictures, document attachments, CSV imports β every upload point is a potential gateway.
The Reality:
Β· Upload vulnerabilities consistently rank in OWASP Top 10 Β· They often lead to full server compromise Β· Most implementations contain at least one flaw Β· Testing requires methodology, not just tools
This Methodology Covers:
β Mapping upload attack surface
β Testing validation logic systematically
β Identifying configuration weaknesses
β Documenting findings professionally
β Implementing effective fixesPhase 1: Reconnaissance β Know Your Target Step 1.1: Map All Upload Points
# Common upload locations to investigate
POST /upload
POST /file-upload
POST /api/v1/media
POST /profile/image
POST /documents/import
POST /attachments/add
# Look for
- Profile/avatar changes
- Ticket/file attachments
- CSV/Excel imports
- Content management systems
- Form buildersStep 1.2: Understand the Technology Stack
# Identify server technology from responses
$ curl -I https://target.com/upload
Server: Apache β .htaccess testing possible
Server: nginx β configuration review
X-Powered-By: PHP β PHP-specific behaviors
X-AspNet-Version β ASP.NET patternsStep 1.3: Analyze Upload Flow
1. How is file sent? (multipart/form-data, JSON base64, etc.)
2. What validation happens client-side?
3. Where is file stored? (local, cloud, CDN)
4. How is file accessed? (direct URL, script, authenticated)
5. Is filename preserved or renamed?Phase 2: Client-Side Control Testing Step 2.1: Bypass HTML Restrictions
<! - Test 1: Modify accept attribute β
<input type="file" accept="image/*">
β Change to accept="*/*" via DevTools
<! - Test 2: Remove disabled/readonly β
<input type="file" disabled>
β Remove disabled attribute
<! - Test 3: Intercept and modify request β
All client-side controls are informational only
Server must enforce all restrictionsStep 2.2: Test Filename Handling
# Test Cases - Observe Server Behavior
test.jpg # Baseline
TEST.JPG # Case sensitivity
test.jpeg # Alternative extension
test. # Trailing dot
test.jpg # Trailing space
test.jpg/ # Trailing slash
test.jpg; # Trailing semicolon
# What to Document:
- Does server rename files?
- Are special characters stripped?
- Is case preserved?
- Are spaces handled safely?Step 2.3: Content-Type Manipulation Tests
# Send same file with different Content-Type headers
Content-Type: image/jpeg
Content-Type: image/png
Content-Type: application/octet-stream
Content-Type: multipart/form-data
Content-Type: text/plain
# Document which Content-Type values are acceptedPhase 3: Server-Side Validation Testing Step 3.1: Extension Validation Logic
# Systematic Extension Testing Matrix
βββββββββββββββββββ¬ββββββββββββββββββ¬ββββββββββββββββββ
β Category β Test Values β Expected β
βββββββββββββββββββΌββββββββββββββββββΌββββββββββββββββββ€
β Baseline β test.jpg β 200 OK β
βββββββββββββββββββΌββββββββββββββββββΌββββββββββββββββββ€
β Double Ext β test.php.jpg β Should reject β
β β test.asp.png β β
βββββββββββββββββββΌββββββββββββββββββΌββββββββββββββββββ€
β Case Manipulate β test.pHp β Should reject β
β β test.PhP β β
βββββββββββββββββββΌββββββββββββββββββΌββββββββββββββββββ€
β Special Chars β test.php;.jpg β Should reject β
β β test.php..jpg β β
βββββββββββββββββββΌββββββββββββββββββΌββββββββββββββββββ€
β Alternative β test.php5 β Should reject β
β β test.phtml β β
βββββββββββββββββββ΄ββββββββββββββββββ΄ββββββββββββββββββ
What to Look For:
β Server rejects dangerous extensions
β Error messages don't reveal validation logic
β Consistent behavior across all upload pointsStep 3.2: Content Validation Testing
# File Content Testing Approach
1. Valid file with correct signature:
- Upload genuine JPG/PNG/PDF
- Verify successful upload
2. Valid signature, dangerous content:
- Take valid JPG
- Keep JPG header, add test content
- Document server response
3. Invalid/missing signature:
- Remove file headers
- Send partial/corrupted files
- Observe error handling
4. Empty files:
- 0-byte files
- Whitespace-only files
- Check how server respondsStep 3.3: Size and Quantity Limits
# Test Parameters
File Size Testing:
- 1 byte (minimum)
- 1 KB (typical small)
- 1 MB (typical limit)
- 10 MB (large)
- 100 MB (very large)
- 1 GB (extreme)
Concurrent Uploads:
- 1 file (baseline)
- 5 files (moderate)
- 20 files (high)
- 100+ files (stress)
Rate Limiting:
- Upload frequency
- Per-IP limits
- Per-session limits
- Account-based limitsPhase 4: Storage and Access Testing Step 4.1: Discover Storage Locations
# Common Upload Directories
Predictable paths to test:
/uploads/
/files/
/media/
/static/uploads/
/content/uploads/
/images/profile/
/attachments/
/storage/
/assets/
# How to discover:
1. Analyze response bodies for paths
2. Check JavaScript files for endpoints
3. Review network traffic
4. Test common directory namesStep 4.2: Test Direct Access
# After successful upload, test:
1. Direct URL access:
GET /uploads/filename.jpg
2. Authenticated vs unauthenticated:
- Access with session
- Access without session
- Access with different user
3. Path traversal attempts:
GET /uploads/../config.php
GET /uploads/..%2f..%2fetc/passwd
4. Forced browsing:
- Increment filenames (1.jpg, 2.jpg)
- Predictable patterns (timestamp_1.jpg)Step 4.3: File Deletion and Overwrite
# Test Cases
Overwrite Testing:
1. Upload file1.jpg β success
2. Upload same filename again
3. Does server overwrite or create new?
Deletion Testing:
1. Upload file
2. Delete via application
3. Is file actually removed from storage?
4. Can deleted file still be accessed?
Temporary Files:
1. Upload large file
2. Cancel mid-upload
3. Check for partial/temp files left behindPhase 5: Configuration Weakness Testing Step 5.1: Server Configuration Review
# What to Test
Apache:
- Is .htaccess honored in upload directories?
- Can .htaccess files be uploaded?
- Directory indexing enabled?
Nginx:
- Try to upload nginx.conf
- Test for alias traversal
- Check try_files behavior
IIS:
- web.config upload attempts
- ASP.NET request filtering
- Handler mappings
Cloud Storage:
- Public read/write permissions
- Bucket policy misconfigurations
- Object versioningStep 5.2: Metadata Handling
# Information Disclosure Through Metadata
Test uploading files with:
- Long filenames (500+ characters)
- Unicode/UTF-8 characters
- Emoji in filename
- Newlines in filename
- Path separators in filename
Document:
- How are filenames displayed?
- Is there reflected XSS in filename?
- Are filenames used in HTML without encoding?
- Is metadata stripped or preserved?Phase 6: Vulnerability Chaining Step 6.1: Common Exploitation Chains
Chain 1: Upload β Stored XSS
βββ Upload SVG with embedded script
βββ Upload HTML file
βββ Upload file with XSS in filename
βββ Access file triggers JavaScript
Chain 2: Upload β Path Traversal
βββ Upload with zip/tar
βββ Contains ../../ paths
βββ Extraction writes outside target dir
βββ Overwrite sensitive files
Chain 3: Upload β SQL Injection
βββ Filename contains SQL payload
βββ Filename stored in database
βββ Unsafe query construction
βββ Payload executes in DB
Chain 4: Upload β SSRF
βββ Upload profile from URL feature
βββ Supply internal IP addresses
βββ Server fetches from internal network
βββ Access cloud metadata servicesStep 6.2: Business Logic Flaws
# Test These Scenarios
1. Privilege Escalation:
- Upload as low-privilege user
- Access file as admin/higher privilege
- Does access control fail?
2. Quota Bypass:
- Fill storage quota
- Find alternative upload paths
- Bypass per-user limits
3. Content Spoofing:
- Upload PDF with malicious links
- Upload document with credential forms
- Social engineering potential
4. Cache Poisoning:
- Upload file with version parameter
- Manipulate caching headers
- Serve old contentPhase 7: Documentation and Reporting Step 7.1: Finding Documentation Template
# File Upload Vulnerability Finding
Title: [Brief description of issue]
Affected Endpoint: [URL]
Risk Level: [Critical/High/Medium/Low]
Description:
[Clear explanation of the vulnerability]
Steps to Reproduce:
1. Navigate to [endpoint]
2. Upload [file type] with [specific characteristic]
3. Observe [unexpected behavior]
4. Access file at [location]
Impact:
[What attacker can achieve]
Proof of Concept:
[Request/response excerpts, screenshots]
Remediation:
[Specific fix recommendations]
References:
[OWASP, CWE, relevant resources]Step 7.2: Severity Assessment Guide
# Risk Rating Criteria
CRITICAL (9.0β10.0)
βββ Remote Code Execution
βββ Unauthenticated file write
βββ Full server compromise
βββ No user interaction required
HIGH (7.0β8.9)
βββ Stored XSS with admin impact
βββ Path traversal with sensitive file read
βββ Privilege escalation via uploaded file
βββ Authenticated RCE
MEDIUM (4.0β6.9)
βββ Stored XSS (non-admin)
βββ Information disclosure
βββ DOS via large files
βββ Metadata exposure
LOW (0.1β3.9)
βββ Filename reflection
βββ Missing security headers
βββ Temporary file exposure
βββ Informational findingsPhase 8: Remediation Verification Step 8.1: Testing Fixed Implementations
# Verification Checklist
β‘ Extension whitelist implemented?
- Only allow required extensions
- Compare against list, not block dangerous
- Case-sensitive comparison
β‘ Content validation active?
- Verify actual file content
- Don't trust Content-Type header
- Use server-side libraries
β‘ Filename sanitized?
- Random rename or
- Strip all dangerous characters
- No user-controlled path segments
β‘ Storage secured?
- Outside webroot
- Non-executable permissions
- Separate domain/CDN
β‘ Access controlled?
- Authentication required
- Authorization checks
- Signed URLs for temporary access
β‘ Logging enabled?
- All upload attempts logged
- Failed validations recorded
- Access patterns monitoredStep 8.2: Regression Testing
# Re-test After Fixes
1. All previously successful bypass attempts:
- Should now be rejected
- With appropriate error messages
- No information leakage
2. Legitimate functionality:
- Valid files still work
- Performance not degraded
- User experience preserved
3. Edge cases:
- Unicode filenames
- Very large files
- Concurrent uploads
- Network interruptionsMethodology Summary Complete Testing Workflow
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β START HERE β
β Map all upload endpoints β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 1: RECONNAISSANCE β
β β’ Identify upload points β
β β’ Fingerprint technology β
β β’ Understand upload flow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 2: CLIENT-SIDE β
β β’ Bypass HTML restrictions β
β β’ Test filename handling β
β β’ Manipulate Content-Type β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 3: SERVER-SIDE β
β β’ Extension validation logic β
β β’ Content validation β
β β’ Size and quantity limits β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 4: STORAGE & ACCESS β
β β’ Discover storage locations β
β β’ Test direct access β
β β’ File operations (overwrite, delete) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 5: CONFIGURATION β
β β’ Server configuration review β
β β’ Metadata handling β
β β’ Cloud storage misconfigurations β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 6: CHAINING β
β β’ XSS vectors β
β β’ Path traversal β
β β’ Business logic flaws β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 7: DOCUMENTATION β
β β’ Clear finding descriptions β
β β’ Reproducible steps β
β β’ Risk-based prioritization β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 8: VERIFICATION β
β β’ Test remediated implementation β
β β’ Regression testing β
β β’ Sign-off criteria β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β COMPLETE β
β Document and communicate β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββSecure Implementation Guidelines For Development Teams
β
DO:
β’ Whitelist allowed extensions
β’ Validate file content, not just headers
β’ Rename files randomly on server
β’ Store files outside webroot
β’ Serve files through proxy scripts
β’ Implement per-user quotas
β’ Log all upload attempts
β’ Scan files with AV before storage
β DON'T:
β’ Trust client-side validation
β’ Use blacklist approaches
β’ Store files with user-supplied names
β’ Allow execution in upload directories
β’ Expose direct file paths
β’ Forget about file deletionConclusion Key Takeaways for Testers
1. File upload testing requires systematic methodology
2. Client-side controls are irrelevant - test server logic
3. Extension validation must be whitelist-based
4. Storage location and access are equally important
5. Chain with other vulnerabilities for maximum impact
6. Document clearly with reproducible steps
7. Verify fixes through regression testingKey Takeaways for Defenders
1. Assume all uploads are malicious
2. Implement defense in depth
3. Whitelist is the only valid approach
4. Rename everything, trust nothing
5. Monitor and log extensively
6. Test your own implementations regularly
7. Stay updated on new bypass techniquesCall to Action:
Developers: Implement strict input validation Researchers: Always redact sensitive information in reports Organizations: Value ethical security research
About the Author
N0aziXss is an experienced security researcher specializing in web application security and bug bounty hunting, with multiple validated discoveries across various platforms.