Let's talk about file uploads - In modern web apps users can share their photos, upload their resumes, or post videos of their latest projects. Pretty much every app needs this nowadays, but it's not as simple as just accepting whatever files come your way. You've got to think about security and make sure no one uploads anything sketchy that could harm your app or other users.
At Audacix, this is one of the most common vulnerabilities we encounter when we look at findings from Cyber Chief automated scans and manual web app penetration tests.
File Upload Vulnerabilities
File upload vulnerabilities occur when a web application fails to properly validate and handle file uploads, allowing attackers to make malicious file uploads or malicious files.
These vulnerabilities can enable remote code execution, file overwriting, and denial-of-service attacks.
File upload attacks are common and can be exploited by attackers to write arbitrary files to gain control of a vulnerable web server.
Types of File Upload Vulnerabilities
There are 5 main types of file upload vulnerabilities that you need to protect against in your web and mobile apps. Unfortunately, it's not good enough to just protect against one or two of these attack vectors. If you're going to build defences against one type, you should build defences against all of them.
Unrestricted File Types
Accepting dangerous file extensions (.php, .exe)
Missing or weak MIME type validation
Allowing executable content
Storage Vulnerabilities
Files stored in webroot
Insufficient access controls
Path traversal in storage locations
Processing Flaws
Buffer overflows in parsing
XML external entity attacks
Image processing vulnerabilities
Content Validation Issues
Malicious code in metadata
Polyglot files (file serves multiple purposes)
Missing antivirus scanning
Access Control Problems
Missing authentication
Insufficient authorization
CSRF vulnerabilities in upload forms
How attackers exploit file upload vulnerabilities
Attackers exploit the file uploader vulnerabilities through several key methods:
Extension Manipulation
Uploading
.php.jpgor.asp;.jpgimage files to bypass filtersUsing uppercase/lowercase variations like
.pHpAdding null bytes to truncate extensions in uploaded file:
malicious.php%00.jpg
Content-TypeSpoofing
Modifying request headers to make malicious files appear legitimate
Example: Sending PHP script with
image/jpegContent-Type
File Content Attacks
Embedding malicious code in seemingly innocent uploaded files
Adding PHP code to valid image metadata
Using polyglot files that function as both images and scripts
Server-side Processing Flaws
Exploiting vulnerabilities in image processing libraries
Triggering buffer overflows with malformed uploaded files
Using ZIP bombs to cause denial of service
Path Traversal
Using
../sequences to write files outside intended directoriesExploiting weak filename sanitisation
Overwriting critical system files
File Execution
Uploading web shells for remote system access
Using .htaccess files to change server configurations
Executing stored XSS via SVG or HTML files.
Uploading malicious client-side scripts
Even if you prevent malicious scripts on the server, hackers may still be able to upload scripts for client-side attacks. For example, if your application allows uploading HTML files or SVG images, hackers can potentially use <script> tags to create stored XSS payloads.
If the uploaded file then appears on a page that is visited by other users, their browser will execute the script when it tries to call php file to render the page. Note that due to same-origin policy restrictions, these kinds of attacks will only work if the uploaded file is served from the same origin to which you upload it.
Before we dive into the technical stuff, there are some important fundamentals you need to know...
Key file upload security principles
First, lock down what files you'll accept. If your app only needs PDFs and images, don't allow anything else - it's just asking for trouble. But before you even check file extensions: Make sure you've vetted all user input. This means checking everything that comes with that file upload request, not just the file upload functionality itself.
Don't trust what the file claims to be. Just because something says it's a JPEG in its Content-Type header doesn't make it true - attackers love to disguise malicious files this way.
Take control of filenames. Generate your own using your app rather than keeping whatever name the user gave it. While you're at it, set some sensible limits on filename length and stick to simple characters.
Keep your files in check with size limits. Nobody needs to upload a 2GB profile picture, right?
Put some guardrails around who can have unrestricted file uploads. Not every user needs upload privileges - limit this to authenticated users who actually need this feature.
Think carefully about where you store these sensitive files too. Ideally, put them on a separate server. If that's not possible, at least keep them away from your website's main directory. For public files, don't expose the actual file path - use an internal mapping system instead (like turning file123 into the real user_photo.jpg behind the scenes).
Add extra security checks to file upload process if you can. Run uploads through antivirus software or a sandbox environment. For documents like PDFs or Word files, use CDR (Content Disarm & Reconstruct) to strip out potentially dangerous elements while keeping the content intact.
Keep your tools sharp - make sure any libraries handling file uploads are configured properly and updated regularly.
Protect against CSRF attacks. You don't want attackers hijacking legitimate users' sessions to get sensitive data and upload malicious files.
How to prevent file upload vulnerabilities?
Defense in depth is essential for file upload security - no single file signature validation or method is bulletproof. A robust upload system needs multiple security layers working together, each addressing different attack vectors while aligning with your service's specific requirements.
Secure File Upload Best Practices
Extension Validation
Check file extensions after decoding filenames
Watch for bypass attempts like double extensions, eg.
.jpg.phpand null bytes, eg..php%00.jpgUse proven validation libraries instead of custom regex
Allowed Extensions
Only permit business-critical file types
For images: stick to one agreed-upon format
For documents: limit to essential types like image files (e.g., PDF, DOCX,JPG)
Content Validation
Don't trust user-provided Content-Type headers
Verify file signatures match claimed types
Use whitelisting over blacklisting
Process files based on type:
Rewrite images to remove hidden malicious code
Use Apache POI for Microsoft documents
Avoid ZIP files due to security risks
Filename Security
Generate random names (UUID/GUID) when possible
If keeping user filenames:
Limit length
Allow only alphanumeric, hyphens, spaces, periods
Block hidden files (leading periods) and traversal attempts
Prevent leading hyphens/spaces
Storage Security
Preferably store on separate host
Keep files outside webroot
If in webroot: limit write permissions
Consider database storage only with DBA oversight
Access Controls
Require authentication for uploads
Implement proper authorization
Set restrictive filesystem permissions
Enforce upload/download size limits
Protect against zip bombs when extracting files
Review Process
Enable reporting of illegal/malicious content
Consider manual review in sandbox environment
Use automated scanning (e.g., VirusTotal APIs)
Validate raw content types
Use Input Validation to help combat file upload vulnerabilities
Input validation is also important to prevent file upload vulnerabilities by ensuring that only files meeting specific safety criteria are accepted by the system. It begins by checking the file type to confirm that it matches expected formats, such as only allowing image files or documents, and rejecting potentially dangerous types like executables.
File size should also be validated to prevent Denial of Service (DoS) attacks from overwhelming the server with excessively large files. Furthermore, inspecting the contents of renamed uploaded files, rather than relying solely on their file extension, can help detect malicious code embedded within seemingly harmless files. Additionally, implementing restrictions on file names, such as disallowing special characters or excessively long names, can prevent directory traversal attacks and other exploits aimed at gaining unauthorised access to the server's file system.
How to find file upload vulnerabilities in your app?
Watch the Cyber Chief on-demand demo to see not only how it can help to keep attackers out, but also to see how you can ensure that you ship every release with zero known vulnerabilities.
Cyber Chief has been built to integrate with the workflows of high-growth SaaS teams and that's why it offers:
Results from scanning your application for the presence of OWASP Top 10 + SANS CWE 25 + thousands of other vulnerabilities.
A detailed description of the vulnerabilities found.
A risk level for each vulnerability, so you know which ones to fix first.
Best-practice fixes for each vulnerability, including code snippets where relevant.
On-Demand Security Coaching from our application security experts to help you patch vulnerabilities in hours, not days.
Click the green button below to see how Cyber Chief works.