BIPI
BIPI

File Upload Bypasses Hunters Actually Use: Extension, MIME, Magic Bytes, Path

Cybersecurity

File upload bugs sit between input validation, storage, and serving. This guide collects the bypass categories that still hit production: extension parsing quirks, MIME confusion, magic byte chimeras, path traversal in filenames, and the SSRF and XSS chains they unlock.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 20, 2023 · 10 min read

#file-upload#bug-bounty#web-security#rce#xss

Three Layers, Many Bugs

Upload validation, storage path, and serving are usually written by different people. A bypass at any layer can chain into XSS, SSRF, or RCE.

Extension Parsing Quirks

  • Double extensions like shell.php.jpg parsed by Apache mod_php
  • Null byte tricks shell.php%00.jpg on legacy parsers
  • Uppercase, mixed case, and Unicode look-alikes
  • Less common executable extensions: phtml, phar, pht, php5, php7

MIME Type Confusion

Apps often check Content-Type from the request rather than sniffing the file. Set image/png on a script and watch the validator pass it through. Chain with content sniffing on the serving side.

Magic Byte Chimeras

Some validators read the first bytes to determine type. Prepend a valid PNG signature to a polyglot file. ImageTragick and old GIFAR-style polyglots still surface in image processors that shell out to convert tools.

Path Traversal in Filenames

Filenames like ../../../etc/passwd or with backslashes hit storage layers that do not sanitize. Even when storage is safe, the database row may store the unsanitized name and surface it in a download endpoint.

SVG Is Always Worth a Try

SVG renders as XML with script tags and event handlers. Many image pipelines accept SVG without sanitization. A stored XSS through an avatar is a common bounty win.

ZIP and Archive Tricks

  • Zip slip path traversal through archive entries
  • Symlinks inside tar files that read host paths after extraction
  • Zip bombs to test resource limits
  • Polyglot zip and image files for parser confusion

Office Documents and Macros

Document conversion services often use unoconv or LibreOffice. CVEs against these libraries lead to SSRF and RCE through crafted documents. Worth testing if upload accepts docx, xlsx, odt.

Image Processing CVEs

ImageMagick, Ghostscript, and FFmpeg have a long history of exploitable bugs. If the app processes images, it likely uses one of them. Test with known proof-of-concept files from public advisories.

Where the Bug Becomes RCE

  • Uploaded file served from a path that executes scripts
  • Cron or background job that processes the file with a vulnerable tool
  • Antivirus scanner with a parser bug
  • PDF generation with embedded fonts triggering Ghostscript

Tooling

  • Burp's Upload Scanner extension
  • exiftool for crafting metadata payloads
  • Polyglot generators on GitHub
  • fakeimg.py for quick magic byte tests
Upload bugs are often three small flaws stacked. Validation says yes, storage says yes, serving says yes, and you have RCE.

Closing

File upload remains a top earner because the path from a benign avatar to remote code execution is short on a lot of stacks. Test every upload, twice.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.