Vulnerability

Unrestricted File Upload
detect, understand, remediate

Unrestricted file upload vulnerabilities allow attackers to upload malicious files (web shells, scripts, or executables) that can lead to remote code execution on the server.

Get Started Free

No credit card required. Free plan available forever.

Severity

High

CWE ID

CWE-434

OWASP Top 10

A04:2021 – Insecure Design

CVSS 3.1 Score

8.8

What is unrestricted file upload?

Unrestricted file upload is a vulnerability that allows attackers to upload files without adequate validation of file type, content, size, or name. When a web application accepts and stores user-uploaded files without proper checks, attackers can upload web shells, malicious scripts, or executable files that lead to remote code execution (RCE) on the server.

File upload functionality is present in nearly every web application: profile pictures, document attachments, CSV imports, and file sharing features all accept user-provided files. Each upload endpoint is a potential entry point for attackers if the server trusts the client to send safe files without verifying the content server-side.

The consequences of unrestricted file upload range from website defacement and data theft to complete server compromise. A successfully uploaded web shell gives the attacker an interactive command prompt on the server, from which they can pivot to internal systems, exfiltrate databases, install backdoors, and establish persistent access to the environment.

How it works

Find upload endpoint

Attacker identifies a file upload feature (profile image, document upload, import function, or any form that accepts file input).

Craft malicious file

A web shell (PHP, JSP, ASPX) or polyglot file is created that bypasses client-side validation while containing executable server-side code.

Upload and locate file

The malicious file is uploaded, and the attacker determines its storage location, often in predictable paths in the webroot or disclosed in the response.

Execute remote code

The attacker requests the uploaded file via its URL. The web server executes the script, giving the attacker command execution with the web server's privileges.

Common causes

No file type validation

Accepting any file extension without checking whether it matches an allow-list of safe types. Relying solely on client-side JavaScript validation which attackers can bypass.

Trusting Content-Type header

Validating file type based on the Content-Type header sent by the browser, which is trivially spoofed by attackers to bypass server-side checks.

Storing uploads in webroot

Saving uploaded files in a directory that is served by the web server, allowing direct HTTP access to uploaded files, including executable scripts.

No filename sanitisation

Preserving the original filename without sanitising it, enabling path traversal attacks (../../etc/passwd) or overwriting critical application files.

How to detect it

Automated detection

SecPortal's code scanner identifies upload handlers that lack server-side file type validation, magic byte checking, or size limits
Authenticated scanning tests upload endpoints by submitting files with executable extensions and polyglot content
External scanning discovers exposed upload directories and checks for accessible uploaded files with executable extensions

Manual testing

Upload files with dangerous extensions (.php, .jsp, .aspx, .py) and check if the server stores and serves them
Test bypass techniques: double extensions (shell.php.jpg), null bytes (shell.php%00.jpg), case variations (.pHp), and MIME type spoofing
Check if uploaded files are accessible via direct URL and whether the server executes them rather than serving them as static content

How to fix it

Validate file type server-side using magic bytes

Check the file's actual content (magic bytes / file signature) rather than relying on the extension or Content-Type header. Only allow explicitly permitted file types.

Store uploads outside the webroot

Save uploaded files in a directory that is not served by the web server. Serve files through an application route that sets Content-Disposition: attachment and the correct Content-Type.

Randomise filenames

Generate random filenames (UUIDs) for stored files instead of preserving the original name. This prevents path traversal, file overwrites, and makes uploaded files harder to locate.

Enforce file size limits

Set strict maximum file size limits appropriate to the use case. This prevents denial of service through large file uploads and limits the complexity of uploaded payloads.

Scan uploads for malware

Integrate antivirus or malware scanning for all uploaded files before making them accessible. Quarantine files that fail scanning and alert the security team.

Compliance impact