TL;DR
This guide shows common ways attackers bypass file upload restrictions on websites. We’ll cover techniques like changing file extensions, using different content types, and exploiting server-side vulnerabilities. It’s aimed at security professionals to understand attack vectors and developers to build more secure uploads.
Understanding File Upload Restrictions
Websites often restrict the types of files you can upload to prevent malicious code (like viruses or scripts) from being stored on their servers. Common restrictions include:
- File Extension Filtering: Only allowing specific extensions like
.jpg,.png,.pdf. - Content Type Checking: Verifying the file’s content type (e.g.,
image/jpeg) matches the extension. - File Size Limits: Preventing very large files from being uploaded.
Bypass Techniques
- Changing File Extensions
- Double Extension Bypass: Try uploading a file like
image.jpg.php. Some servers only check the last extension and will allow it, then execute the PHP code. - Case Sensitivity Bypass: If the server is case-insensitive (e.g., on Linux), try
image.JPGinstead ofimage.jpg. - Null Byte Bypass: (Less common now) Some older systems might be tricked by a null byte character (
%00). Example:image.jpg%00.php. This can terminate the filename check prematurely.
- Double Extension Bypass: Try uploading a file like
- Manipulating Content Types
- Incorrect MIME Type: Change the file’s content type in your browser’s developer tools before uploading. For example, set a PHP file to
image/jpeg. - Content-Type Header Injection: Some servers rely on the Content-Type header sent by the client. You can modify this header using tools like Burp Suite or curl.
curl -X POST -H "Content-Type: image/jpeg" -F "file=@malicious.php" http://example.com/upload.php
- Incorrect MIME Type: Change the file’s content type in your browser’s developer tools before uploading. For example, set a PHP file to
- Exploiting Server-Side Vulnerabilities
- Filename Filtering Issues: If the server uses a simple string comparison for filtering, you might be able to bypass it with clever filenames. For example, using spaces or special characters.
filename = "image .jpg" - Path Traversal Vulnerabilities: If the server doesn’t properly sanitize the filename, you could use path traversal sequences (e.g.,
../) to write files outside of the intended upload directory.filename = "../../etc/passwd" - Polyglot Files: Create a file that is valid in multiple formats. For example, a PHP file containing a valid JPEG header followed by malicious PHP code.
- Filename Filtering Issues: If the server uses a simple string comparison for filtering, you might be able to bypass it with clever filenames. For example, using spaces or special characters.
- Using Different File Types
- Image within an Archive: Upload a ZIP or RAR archive containing the malicious file. The server might only check the archive extension, not the files inside.
- SVG Files: SVG (Scalable Vector Graphics) can contain JavaScript code and be executed by browsers. Upload a malicious SVG file.
<svg onload="alert('XSS')"></svg>
Preventing File Upload Bypass Attacks
- Strict Whitelisting: Only allow specific, necessary file extensions. Avoid blacklisting.
- Content Type Validation: Verify the content type using a library that accurately detects file types (don’t rely solely on the Content-Type header).
- File Size Limits: Implement reasonable file size limits to prevent denial of service attacks and make exploitation harder.
- Random Filenames: Generate unique, random filenames for uploaded files.
- Secure Storage Location: Store uploaded files outside the web root directory and serve them through a separate script that handles access control.
- Regular Security Audits: Regularly scan your code and infrastructure for vulnerabilities.