File Upload Vulnerability
A file upload vulnerability occurs when a web application allows users to upload files without adequately validating file type, content, size, or storage location. Attackers can exploit this to upload malicious files such as web shells, malware, or content that triggers other vulnerabilities.
File upload functionality is a common feature in web applications, used for profile pictures, document submissions, and content management. However, insecure implementations can create severe security risks. The most dangerous outcome is remote code execution, where an attacker uploads a web shell or server-side script that the web server then executes.
There are multiple attack vectors through file uploads. Attackers may upload executable files (PHP, JSP, ASPX) disguised with modified extensions or MIME types. Files containing embedded malicious code (such as polyglot files that are valid in multiple formats) can bypass content-type checks. Oversized files can cause denial of service, and specially crafted filenames can trigger path traversal or other injection vulnerabilities.
Even when direct execution is not possible, uploaded files can serve as vectors for stored XSS (through SVG files containing JavaScript or HTML files), social engineering (distributing malware from a trusted domain), or server-side processing vulnerabilities (such as XXE through uploaded XML or DOCX files).
Comprehensive file upload security requires validating file extensions against an allowlist, verifying file content matches the expected type (not just the Content-Type header), storing uploaded files outside the web root or on a separate domain, renaming files with random identifiers, scanning uploads with antivirus software, enforcing file size limits, and stripping or sanitising metadata. Serving files through a CDN or separate download domain adds an additional layer of isolation.