File upload vulnerabilities¶

In almost every web application there is functionality for uploading files. This file may be in form of text, video, image, etc. Developers often forget Content-Type vs. file extension checks, malicious files disguised as images (e.g., shell.jpg.php), parser inconsistencies (e.g., Apache’s mod_mime quirks), and cloud impact: Uploads to S3/Blob Storage can lead to bucket hijacking.
File upload vulnerabilities remain extremely common and are frequently exploited in real-world attacks. They appear in web applications (social media, forums, CMS platforms), Enterprise systems (HR portals, document management), APIs & cloud services (user avatars, PDF generators).
Test for them because upload flaws can be chained with RCE (uploading .php, .jsp, .aspx shells), XSS (malicious SVG/HTML files), and SSRF (via PDF generators and Office docs).
Far from a waste of time—file upload vulnerabilities are low-hanging fruit with high impact. Test aggressively, especially in apps handling sensitive data:
- Remote code execution via web shell upload
- Web shell upload via Content-Type restriction bypass
- Web shell upload via path traversal
- Web shell upload via extension blacklist bypass
- Web shell upload via obfuscated file extension
- Remote code execution via polyglot web shell upload
- Web shell upload via race condition