File Upload Testing

File types

 Image File?


 ... And more based on context

 Blacklisted file formats?

 White-listed file formats?

File size

 Minimum size

 No size limit

 Maximum size

Messages Information / Error / Warning

 File uploaded without any errors - Success!

 The file chosen exceeds maximum file size. Try again.

 The uploaded file was only partially uploaded.

 No file was uploaded

 Failed to write file to server (Unknown)

 File uploading was cancelled

 File appears to be corrupt. Re-try!

 Multi File Uploading Some files uploading were failed...

Uploader Type?

 Single File

 Multile Files

Progress bar?

 Approx. Time Remaining

 Display file size that's already uploaded

Third-party uploader?

 If yes, try searching for open vulnerabilities on web

 Check the readme file to know known bugs or bug fixes

 Subtopic 3

Single File? Multiple File? Uploader

 Custom Built?


Security Attacks

 Uploading *.jsp files and try executing

 Upload *.exe file (Malicious *.exe)

 Upload *.html file which has XSS script

 Upload Virus File

 Upload file that has sensitive data of your enemy

 Upload Huge Files (Denial of service)

 Phishing Page Embedding Attack

Good Practices

 Setting maximum file size

 White-listing file formats

 Setting Content-Type

 Implement File Type Recognizer

 Remove special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, etc.

 Accept Alphanumeric File names

 Don't accept empty file names with no extension

 Built-in virus scanner

 Absolute pathname access should be restricted (Hash the file names on the server to avoid brute force download)

 Use POST method instead of PUT

 Prevent overwriting of file

 Use client-side max file size attribute along with server side check

 Authorization & Permissions for downloading and uploading


 Single File Upload

 Multi File Upload

 Choose File

 Drag and Drop File to Upload

 Cancel Upload (Single File)

 Cancel All (Multi File Upload)