Hello Hackers,

Hope you guys Doing well and hunting lots of bugs and Dollars !

I always prefer to hunt bugs on file upload functionality on any web application. Vulnerabilities in file uploads will generally give you high severity bugs and it is not too secure at the time. well, so for today we are going to talk about a very exploitable part of the web that is file upload functionality.

During penetration testing, we have seen many file upload functionality which can grants users to transfer of file from user’s computer to the server. As it is directly communicating with the server, so we have to manage good security hygiene over there.

For the security reason, we implement two types of sanitation on the web application:-

Client-side Validation — when web applications use client-side validation, all the user’s inputs validated in the user’s browser itself. It doesn’t require a round trip to the server. This validation is done on the browser side using script languages such as JavaScript or HTML5 attribute.

Server-side validation — The input submitted by the user is being sent to the server and validated using one of the server side scripting language as Asp.net, PHP, etc.it is also best practice from protecting against malicious users.

But it doesn’t mean that the web application is completely secure on file upload functionality, There are some methods to bypass it. so let’s start and learn how to look for bugs in this function.

Client-side Filter Bypass — As I have already mentioned that, client-side validation is done on the browser using script languages i.e java script. So this java script only processes your request before it’s actually sent to the server and validates the type of file we are uploading. if the file doesn’t look valid then it reflects back with an error message. But the main concern is that this security is too much dependent on the browser, which can be manipulated via a proxy tool (Burp suite, OWASP zap ) and tamper it to change the content and the file name of the uploaded file.

Bypassing File extension check:-

It is when the server validates the file that is uploaded by comparing its extension, this validation occurs based on two ways blacklisting and whitelisting file extension.

1. Try adding special characters at the end

file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php….
file.pHp5….

2. Try to bypassing by Double extension

file.png.php
file.png.pHp5

3. Try to bypassing by null byte or adding junk data

shell.php%00.jpg

shell.php%0delete0.jpg
file.phpJunk123png

4. Try to bypassing by adding a valid extension before the execution extension

file.png.php
file.png.Php5

5. Try to bypassing by using uppercase and lowercase letters

file.jPg

file.SvG

file.asP

Content-type validation — It is when the server validates the content of the file by checking the MIME type of the file, which can be shown in the HTTP request body.

1. Bypassing content-type validation by changing the value of the content-type header

Content-length validation — It is when the server checks the length of the content of the uploaded files & restricts a file size that can’t be exceeded.

1. Bypassing content-type validation by changing the value of the content-length header

Top 10 list of things that you can achieve by uploading file :-

• SVG: Stored XSS / SSRF / XXE
• HTML / JS : HTML injection / XSS / Open redirect
• ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
• GIF: Stored XSS / SSRF
• CSV: CSV injection
• PNG / JPEG: Pixel flood attack (DoS)
• ZIP: RCE via LFI / DoS
• PDF / PPTX: SSRF / BLIND XXE
• XML: XXE
• AVI: LFI / SSRF

References:-

Hope this is useful for you guys

Happy Hacking !

Twitter handle :- https://twitter.com/Xch_eater