This serves as a checklist of things to think about, some may need more research and be technology dependant, but its a good starting point

1. Entry Points

• Identify all upload features (GUI, API, PUT, URL-based uploads)
• Test authenticated and unauthenticated uploads
• Send OPTIONS to detect PUT / PATCH support

2. File Type Validation

• Upload executable files (.php, .jsp, .asp, .aspx, .py)
• Try alternate extensions (e.g. .php5)
• Modify Content-Type header
• Verify server checks content, not just extension or Content-Type

3. Extension Obfuscation

• Double extensions (shell.php.jpg)
• Case variations (shell.pHp)
• Trailing characters (shell.php.)
• URL encoding / double encoding (shell%2e.php)
• Null bytes / semicolons (shell.php%00.jpg, shell.php;.jpg)
• Recursive stripping bypass (shell.p.phphp)

4. File Content Checks

• Non-image content labelled as image
• Polyglot files (image + script in metadata)

5. Filename Handling

• Directory traversal (../, %2e%2e%2f)
• Overwrite existing files
• Absolute / relative path injection
• Confirm filenames are randomised

6. Storage & Execution

• Identify upload directory
• Attempt upload to unexpected directories
• Upload .htaccess / web.con

7. Size & DoS

• Upload oversized files
• Flood storage with multiple uploads

8. Race Conditions

• Try to get server to access file before validation completes
• Test temporary file locations
• URL-based upload timing attacks
• Brute-force predictable temp names

10. Client-Side Attacks

• Upload HTML / SVG with JavaScript
• Stored XSS via uploads
• Same-origin policy validation

11. File Parsing Attacks

• XML / Office files for XXE
• Parser crashes or external requests

12. PUT Uploads

• Upload files via PUT
• Test execution and access controls