File upload is a function commonly founded in web app. You may find it in social network app, job seeking app etc. Also, it is one of the areas that developers would overlook. This article mainly introduces what common bugs can be founded in file upload functions. So, let’s begin:
1. File Upload IDOR
This is one of the most common yet overlooked vulnerabilities by developers. For example, if you are able to upload a file and post request is like below:
POST /uploads/12345/
file=profile.jpg
Suppose 12345 is your user id, you may try the old school IDOR check by just amending the userid to victim’s one (e.g. 23456). You may check if your jpg file would be uploaded to victim’s account.
This kind of bugs normally wont classified as a critical one. Because the most impact you could create is just changing victim’s profile pics or upload a ridiculous CV for victim in a jobs seeking website.
So, if you experience this case, you may try to escalate by changing POST to DELETE. See if you can delete victim’s asset. If so, the severity level of the bug would be increased.
2. Filename XSS
Apart from firing XSS payload into search box, have you ever tried to injecting XSS payloads into filename to upload? For example, in a social media app, you found your uploaded profile picture appeared in your profile page like this:
<img src="youruploadpic.jpg" width="400" height="235">
Then, let’s try to amend your picture name to “><script>alert(“XSS”).jpg</script><. So, when you browse your profile page again, it appears as:
<img src="“><script>alert(“XSS”).jpg</script><" width="400" height="235">
So, if the web app does not have proper sanitization in place, anyone visits your profile page would trigger an XSS poppup box. The above payload doesn’t work? Fuzz the filename with XSS payloads and try!
3. CSV Injection
If you may notice, you can put formula to do calculation in a CSV file. But how about code? Yes! You can also put code into CSV file as well. So, if a web app does not sanitised your uploaded CSV file content properly, a CSV file with malicious code could be uploaded to the web and downloaded by admin or other user. So, attacker can redirect victims to their controlled site or even execute code on victim’s machine. Some examples of payloads can be founded in the git-hub repo below:
GitHub – payloadbox/csv-injection-payloads: CSV Injection Payloads
CSV Injection Payloads. Contribute to payloadbox/csv-injection-payloads development by creating an account on…
4. Upload Executable File
This is properly the most critical one in file upload function. Because if success, it could possibly a RCE. So, the idea is very easy. If you are asked to upload a picture, you just try to upload a .php web shell, a .jspx file etc. to see if it can be successfully uploaded. Then. try to access the page where it uploaded to execute command.
But of course, most web app nowadays have certain protection against executable file being upload.
So, let’s say the file upload is like below:
Content-Disposition: form-data; name="file" filename="profile.jpg" Content-Type: image/jpeg
you may try something very strange like below to bypass:
Line Termination Trick
Content-Disposition: form-data; name="file" filename="webshell. p h p" Content-Type: image/jpeg
Content-Disposition Overflow
Content-Disposition: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA form-data; name="file" filename="webshell.php" Content-Type: image/jpeg
File Name Overflow
Content-Disposition: form-data; name="file" filename="webshellAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php" Content-Type: image/jpeg
Duplicated Line
Content-Disposition: form-data; name="file" filename="profile.jpg" Content-Disposition: form-data; name="file" filename="webshell.php" Content-Type: image/jpeg
Double Extension
Content-Disposition: form-data; name="file" filename="webshell.php.jpg" Content-Type: image/jpeg
Above are just some examples. You may try many other different things to try to bypass the protection mechanism. The most important thing is your creativity.
Conclusion
File upload function is a very commonly seen function in web app. Also, a lot of treasures for bug bounty hunters have been hidden within. So, next time, let’s check out the file upload function and try above tricks. You may found your bounty out of it. Good luck and happy hacking!
Also Read,