Shell Upload

Shell Upload

Category: Security Misconfiguration

Severity: Critical


Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

The Content-Type for uploaded files is provided by the user, and as such cannot be trusted, as it is trivial to spoof. Although it should not be relied upon for security, it provides a quick check to prevent users from unintentionally uploading files with the incorrect type.

Other than defining the extension of the uploaded file, its MIME-type can be checked for a quick protection against simple file upload attacks.

This can be done preferably in an allow list approach; otherwise, this can be done in a block list approach.

File Signature Validation

In conjunction with content-type validation, validating the file's signature can be checked and verified against the expected file that should be received.

File Content Validation

As mentioned in the Public File Retrieval section, file content can contain malicious, inappropriate, or illegal data.

Based on the expected type, special file content validation can be applied:

For images, applying image rewriting techniques destroys any kind of malicious content injected in an image; this could be done through randomization.

For Microsoft documents, the usage of Apache POI helps validating the uploaded documents.

ZIP files are not recommended since they can contain all types of files, and the attack vectors pertaining to them are numerous.


The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement.


  • Ensure that input validation is applied before validating the extensions.

  • Validate the file type, don't trust the Content-Type header as it can be spoofed

  • Change the filename to something generated by the application

  • Set a filename length limit. Restrict the allowed characters if possible

  • Set a file size limit

  • Only allow authorized users to upload files

  • Store the files on a different server. If that's not possible, store them outside of the webroot

  • In the case of public access to the files, use a handler that gets mapped to filenames inside the application (someid -> file.ext)

  • Run the file through an antivirus or a sandbox if available to validate that it doesn't contain malicious data

  • Ensure that any libraries used are securely configured and kept up to date

  • Protect the file upload from CSRF attacks

Last updated