====== File Upload Testing ======

File uploads are often filtered on extension, content-type, magic bytes, or image dimensions. Test each layer separately.

===== Extension Tricks =====

<code>
shell.php/.jpg          # server may strip after slash
shell.html%0d%0a.jpg    # newline truncation
.txt, .svg, .xml        # often forgotten in filters
shell.php5, shell.phtml # alternate PHP extensions
</code>

===== Content-Type Manipulation =====

  * Filename ''.jpg'' but Content-Type ''text/html''
  * No filename or no extension -- check what the server defaults to
  * Keep image magic bytes (''\xff\xd8\xff'') at start but append PHP/HTML after
  * Polyglot files -- simultaneously valid image and valid HTML/PHP

===== XSS in Filenames =====

<code>
58832_300x300.jpg<svg onload=confirm()>
"><img src=x onerror=alert(1)>.jpg
</code>

===== What to Check =====

  * **Where are uploaded files stored?** Same domain? CDN? Check CSP header
  * **What validation is in place?** Extension, content-type, magic bytes, image dimensions
  * **Is there a virus scanner?** Can you bypass it with a polyglot?
  * **Is the upload endpoint authenticated?** Try uploading unauthenticated

===== SVG XSS =====

SVG files are XML and support JavaScript event handlers:

<code xml>
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)">
  <rect width="100" height="100"/>
</svg>
</code>

===== Escalation =====

  * SVG upload on same domain = XSS
  * Unrestricted file type = webshell if server executes
  * XSS in filename reflected in admin upload logs = blind XSS
  * SSRF via SVG: ''<svg><image href="http://169.254.169.254/"/>''

===== See Also =====

  * [[zseano:xss|XSS Testing]]
  * [[zseano:ssrf|SSRF Testing]]
  * [[tbhm:07_file_upload|TBHM File Upload]]
  * [[zseano:start|Methodology Index]]