⌘K
ENES
GitHub
playbookSecurity Playbooks~1 min readUpdated Apr 23, 2026

Inspect File Upload Surface

Goal

Determine whether upload features create unsafe execution, storage, parser, or exposure paths.

Assumptions

  • uploads may be validated weakly
  • post-processing is often riskier than the upload itself
  • storage and serving paths may cross trust boundaries

Prerequisites

  • one or more upload or import features
  • ability to inspect storage, response behavior, or processing side effects where authorized

Recon steps

  1. Map all upload and import entry points.
  2. Identify where files are stored, transformed, previewed, or served.
  3. Note allowed extensions, MIME handling, naming, and public exposure.

Exploit / test steps

  1. Compare extension checks vs actual parser behavior.
  2. Test whether uploaded content is served back from executable or overly trusted contexts.
  3. Probe archive and document processing paths.
  4. Inspect filename handling and path assumptions.
  5. Look for predictable public URLs or indirect exposure of stored files.

Validation clues

  • unsafe file types accepted or mishandled
  • uploaded content becomes publicly reachable unexpectedly
  • processing path reveals parser or storage issues
  • files can influence downstream rendering or server behavior

Mitigation

  • validate more than extension alone
  • isolate storage and serving paths
  • avoid execution-capable contexts
  • review previews/transforms as part of the attack surface
  • use indirect references and safe naming

Logging / detection

  • unusual upload MIME/type combinations
  • repeated failed processing attempts
  • public access to files that should remain private

References

  • Testing / Lab: PortSwigger file upload vulnerabilities — https://portswigger.net/web-security/file-upload
  • Foundational: OWASP WSTG — https://owasp.org/www-project-web-security-testing-guide/latest/

Explore nearby notes

Security PlaybooksBreak JWT ValidationIdentify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Security PlaybooksDetect BloodHound Collection_Playbook structure (Goal / Assumptions / Prerequisites / Detection steps / Validation clues / Mitigation / Logging / Operational safety), matching the trio... Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions.