# File Upload

File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size. 

Attackers can leverage file upload vulnerabilities to upload malicious documents to the server intended to be downloaded by an end user or server-side script files which could potentially enable remote code execution.

### Upload Scanner

The upload scanner extension in Burp Suite allows for for easy and automated testing of file upload vulnerabilities. I've had this scanner find a number of vulnerabilities for me such as XSS and XXE while testing other functions of the web application. 

{% embed url="<https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa>" %}

### Payloads

When testing file upload vulnerabilities it's important to try uploading different files to see how the application handles them. For example, your may not be able to trigger a payload from uploading an `svg` file but you may be able to using a `html` file.&#x20;

The following repository on GitHub has a signifcant amount of ready-to-pwn payloads, notably in the XSS and XXE sections:

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings>" %}

Additionally, leverage an open source project for generation malicious PDFs such as "Malicious PDF Generator" from Jonas Lejon:

{% embed url="<https://github.com/jonaslejon/malicious-pdf>" %}

### References

{% embed url="<https://portswigger.net/web-security/file-upload>" %}

{% embed url="<https://twitter.com/NinadMishra5/status/1655538111517175810>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/web-applications/file-upload.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.