Configuration: Unrestricted File Upload¶

Identifier: file_upload_unrestricted

Scanner(s) Support¶

Description¶

An unrestricted file upload (CWE-434) lets an attacker upload arbitrary file types to the application. Even without code execution, this enables follow-up attacks: defacement, malware hosting, content-type confusion, storage exhaustion, and bypass of MIME-based defences elsewhere in the stack.

How we test: For each detected upload endpoint we replay the recorded request with a tiny benign canary file under a series of extensions known to be dangerous if mishandled: .php, .phtml, .phar, .jsp, .jspx, .aspx, .exe, .svg, .html, .htaccess, plus double-extension tricks (x.jpg.php). Each variant uses a per-scan canary filename (escape_canary_<uuid>.<ext>) so it cannot collide with real customer files. Confirmation is two-step: (a) the server returns 2xx (accepts the file), and (b) the file is retrievable via the inferred URL template returned by the upload response. We never write payloads that imply execution.

Every probe emits a context.info event with the raw multipart request and the upload/retrieval response as attachments.

References:

• https://owasp.org/Top10/A04_2021-Insecure_Design/
• https://cwe.mitre.org/data/definitions/434.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  file_upload_unrestricted:
    skip: false

Reference¶

skip¶

Type : boolean

Skip the test if true.