File Upload

This detector identifies security weaknesses in file upload functionality where applications fail to properly validate uploaded files. It tests for missing file type validation, inadequate size restrictions, executable file uploads, path traversal in filenames, and improper storage locations. The scanner attempts to upload various file types including executable scripts, oversized files, and files with malicious names to determine if the application accepts dangerous uploads or stores them in publicly accessible locations.

Unrestricted file upload vulnerabilities enable attackers to upload malicious files that can lead to complete system compromise. Attackers upload web shells, executable scripts, or malware disguised as legitimate file types to gain remote code execution on the server. By exploiting weak validation, adversaries can bypass file type restrictions using double extensions, MIME type manipulation, or null byte injection. Uploaded malicious files stored in web-accessible directories allow attackers to execute arbitrary commands, deface websites, or pivot to internal networks.

Validate file types using both extension and content-based checks by examining magic bytes or file signatures rather than relying on client-provided MIME types. Implement strict allow lists for permitted file extensions and reject all others. Store uploaded files outside the web root directory and serve them through a handler that sets appropriate Content-Disposition headers. Generate random filenames to prevent directory traversal and filename manipulation attacks. Enforce file size limits to prevent denial of service. Scan uploaded files with antivirus software before making them accessible. Disable script execution in upload directories through web server configuration. For images, re-encode them to strip embedded malicious content.