Unrestricted File Upload is a vulnerability that occurs when an application allows users to upload files without sufficient validation or restrictions. This flaw can be exploited by attackers to upload malicious files such as web shells, scripts, malware, or configuration files, leading to server compromise, data loss, or remote code execution. File upload functionality is commonly used in content management systems, profile image uploads, document sharing platforms, and administrative interfaces.

Common attack vectors:

• Uploading executable scripts (e.g., PHP, JSP, ASP) and executing them on the server.
• Uploading files with double extensions (e.g., file.php.jpg) to bypass naive extension checks.
• Uploading files with specially crafted metadata, embedded scripts, or malformed formats that exploit processing libraries.
• Bypassing MIME type checks or filename validation through header manipulation or content spoofing.
• Uploading large files or archive formats (ZIP, TAR) that can be extracted to arbitrary locations to overwrite critical files.

Impacts:

• Remote Code Execution (RCE): executing attacker-supplied scripts on the server.
• Privilege escalation: if the web server has write or execution permissions in sensitive directories.
• Denial of Service (DoS): uploading large files or malformed content to exhaust disk space or memory.
• Data theft or manipulation: attackers can overwrite existing files or exfiltrate sensitive data.

Detection indicators:

• File upload endpoints that accept unrestricted types or allow unexpected file extensions.
• Unrestricted storage locations, particularly directories served by the web server.
• Upload logic lacking content-type validation or relying solely on client-supplied headers.
• Presence of uploaded executable scripts in publicly accessible directories.

Mitigating unrestricted file upload requires a combination of validation, sanitization, storage controls, and privilege restrictions.

1. Whitelist Allowed File Types
   Permit only specific file types based on extensions and MIME types (e.g., .jpg, .png, .pdf) and reject all others.

2. Validate File Contents
   Verify uploaded files against expected formats using magic numbers or content-based checks rather than relying solely on extensions or MIME headers.

3. Sanitize Filenames
   Remove special characters, path traversal sequences, and overly long filenames. Generate server-side filenames to avoid collisions and injection.

4. Store Files Outside Web Root
   Save uploaded files in directories that are not directly accessible via HTTP to prevent direct execution.

5. Restrict Execution Permissions
   Ensure uploaded files cannot be executed by the web server. Set restrictive file system permissions (read/write only, no execute).

6. Scan Files for Malware
   Integrate antivirus or file-scanning tools to detect known malware or malicious scripts before storage.

7. Limit File Size
   Enforce maximum file size restrictions to prevent resource exhaustion attacks.

8. Use Secure Upload APIs and Libraries
   Prefer well-tested libraries or framework features that handle safe file uploads, including validation, temporary storage, and secure processing.

9. Logging and Monitoring
   Log upload attempts and monitor for suspicious patterns, such as unexpected file types or repeated uploads from a single source.

10. Defense-in-Depth
    Combine upload validation with network security, web application firewalls, authentication, and access control mechanisms.

11. Security Testing
    Include unrestricted file upload scenarios in penetration tests, code reviews, and automated scanning.

• File Upload Cheat Sheet
• CWE-434: Unrestricted Upload of File with Dangerous Type
• CAPEC-650: Upload a Web Shell to a Web Server
• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H