Configuration: File Upload Endpoint Detected¶
Identifier:
file_upload_detected
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
File upload endpoints accept binary or document payloads from clients and represent a high-leverage attack surface (CWE-434, CWE-22, CWE-94, CWE-79). Cataloguing every detected endpoint lets customers audit which surfaces are exposed and which downstream active checks were run against them.
How we test: We classify endpoints from three independent sources: (a) HAR traffic with a multipart/form-data Content-Type and a filename= part header, (b) BLST exchange templates including GraphQL multipart spec requests with an operations / map shape, and © JavaScript source containing FormData, <input type="file">, apollo-upload-client, react-dropzone, tus-js-client, @uppy/core, or filepond imports. Endpoints discovered from observed traffic are profiled with a tightly budgeted tiny-LLM (ModelName.gpt_5_mini, max 1 call per endpoint) to produce a structured description; JS-only endpoints use deterministic evidence and are not actively probed.
Every detection emits a context.info event with the originating request (or JS source snippet) as an attachment so customers can audit what triggered the classification.
References:
- https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
- https://cwe.mitre.org/data/definitions/434.html
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.