- Select Theme
I thought of sharing some general tips for when testing the upload functionality of a web application. It’s focused on security issues, because upload is one of the inputs into the system and it’s used by hackers quite often. Now of course every application it’s different and not all are applicable every time and everywhere, but it can give useful ideas.
Please add your comments with other tips and I will add it to the list.
|
Tip1: Php injection – use “Knull shell” It’s a php script, you can get it here https://code.google.com/p/knull-shell or you can unzip it from here. The idea is to try to upload this script and check if you can execute it once it’s on the web app to hack. |
|
Tip2: Upload large amount of content If there is no validation to the file size or to the number of files to be uploaded and there is not captcha, you can fill the server that handles the web app much more easily. This can be problematic to a hack with continuous upload or just when dealing with a large amount or users. |
|
Tip3: What happens after the upload Once uploaded a file, you can see the new location of its storage. You can use that URL to guide you to find other stored files that normally you should not be authorized to see. |
|
Tip4: Different type of injection using the filename Use file names that can cause a malfunction. Even if the upload it’s ok with it, maybe after another processing action (renaming of the file) it can show problems. Example: “ ' or '1'='1' — ';.jpg “ |
|
Tip5: Upload files with long names |
|
Tip6: Upload files with special chars |
|
Tip7: Upload files to test the boundaries of size limits |
|
Tip8: Test the format validation In some cases there is no validation for the file format validation. In other there is only a validation based on file extension. In other the uploaded files are analyzed. |
|
Tip9: Upload the same file multiple times What happens then? What happens to new file? What happens to old files? |
|
Tip10: Test upload performance Check the speed of the upload |
|
Tip11: Upload files like “index.php" or “.htaccess” |
|
Tip12: Try to upload if you are logged out or upload for a different user/role
|
|
Tip13: Use the Null Byte in the upload Use it in file name “test.php%00.jpg” but also in the content or any variation that might seem relevant. |
ShareThis
Previous 
Next 
Categories
Tag Cloud
Blog RSS
Comments RSS
Last 50 Posts
Back
Void
Hi Sebi,
nice list, good work.
Small annotation for Tip #6: “Special” – or maybe better invalid- characters differ from operation system to operatin system (to be precise: “file system”). In a Unix/ Linux environment nearly every special character can be used as filename, whereas characters as ‘*’, ‘?’ etc. are forbidden on Windows.
I think every testers can think of some nice scenarios for tis.
@Tip7: What is the maximum for the upload based on? Filesize? Time of the upload? This might influence your test approach.
Another one: Is it possible to re-trigger a failed file upload?
Regards,
Christian
Hi Christian,
Thanks for the comment!
) and I was trying to use ‘?’ and couldn’t. Then I had realized the possible OS differences.
Yeah I agree for tip #6 , in Linux you have more options to create file names regarding the usage of chars. I actually wrote this blog post from Windows (
For tip #7 I was thinking primarily for filesize limit, but time should also matter.
The re-triggering of failed upload is again of set of tests that can be done.
I will try to make up additional “tips” from your comment.
Regards,
Sebi