File upload vulnerabilities

Portswigger Academy XML external entity File Upload Labs

In almost every web application there is functionality for uploading files. This file may be in form of text, video, image, etc. Developers often forget Content-Type vs. file extension checks, malicious files disguised as images (e.g., shell.jpg.php), parser inconsistencies (e.g., Apache’s mod_mime quirks), and cloud impact: Uploads to S3/Blob Storage can lead to bucket hijacking.

File upload vulnerabilities remain extremely common and are frequently exploited in real-world attacks. They appear in web applications (social media, forums, CMS platforms), Enterprise systems (HR portals, document management), APIs & cloud services (user avatars, PDF generators).

Test for them because upload flaws can be chained with RCE (uploading .php, .jsp, .aspx shells), XSS (malicious SVG/HTML files), and SSRF (via PDF generators and Office docs).


Last update: 2025-05-19 17:27