0

While I was learning about file upload vulnerability one question come to my mind. What type of file do I use while hunting file upload vulnerability ? Do I need to detect which programming language is used on the backend ? Php extension files are used in most examples.

schroeder
  • 123,438
  • 55
  • 284
  • 319
charlie
  • 1

2 Answers2

0

It's a broad question and hence hard to answer correctly but I will look into it one by one.

What type of file do I use while hunting file upload vulnerability ?
Answer : Try to identify the file parsing in the application. As mentioned the best match is to identify the backend language and upload a file in the same language. PHP extensions are used in most scenarios is a wrong assumption because enterprise core applications are relying on JSP or .Net and uploading a PHP file on these applications might not yield the expected results.

Diving deep : Even though PHP , JSP or ASP files are the extensions that can potentially produce a critical impact on the application server, other file extensions are also dangerous. A few of them are listed below

  1. Excel and Word can lead to XXE
  2. Postscripts files like PDF, EPS, PS, XPS
  3. GIF files leaking memory
  4. SVG files leading to SSRF, XXE and XSS
  5. HTML file leading to XSS

This GitHub repo has lots of image related public exploits found so far https://github.com/barrracud4/image-upload-exploits

Final Note : Understanding the file parsing and application behaviour is important to identify the file upload test cases that can be performed on the application. File upload bypass techniques will aid in overcoming certain extension limitations and content-type validation.

More and more threat vectors are revealed in file parsing libraries, so moving forward file upload testing can go beyond expectations.

Joel Deleep
  • 189
  • 9
0

When testing for RCE via arbitrary file upload vulnerability, it's essential to be certain about the backend otherwise server won't be able to understand your file.

There are multiple ways to detect the backend language used in the application, most are listed in the response here.

For more general tests, in which you want to see how many types of file extension does the application allows, you can use this extension list in intruder and see how many file extension does the application support and then you can craft an attack from the allowed extension. Like for example, if upload functionality supports SVG extension then you can look for XSS via SVG.

Most of the times file upload restrictions are not applied via extension only, but they can also be done based on the content type and other properties. You can read more about it in here.

Syed Anas
  • 91
  • 3