server allows to upload files without properly validating their name, type, contents, or size

Unveiling File Upload Attacks - Part 1 | YesWeHack Learning Bug Bounty

Delving Deeper into File Upload Attacks - Part 2 | YesWeHack Learning Bug Bounty

Impact depends on these 2 factors -

• application ka konsa पहलू/हिस्सा is failing to validate, be its: size, type, contents, etc
• क्या पाबन्दी is applied on the file once its uploaded.

File type isn’t validated, server config allows for files like (.php and .jsp) to be executed as code → rce

File name isn’t validated, overwrites critical files by uploading file with same name.

Directory Traversal is on → files can be uploaded in any directory

File size isn’t checked → DoS

How do they arise?

• Half Validation: सिर्फ file extension or MIME type checking is not enough. Attackers change the file name or MIME type manipulation.
• Configuration Ki Kami: Server misconfigurations leading to harmful scripts execution
• Security Inconsistency: Website or network के अलग-अलग हिस्सों में security levels अलग-अलग होना

How do web servers handle requests for static files?

Previously websites were entirely static so all the files could be mapped 1:1 with the files on the server. Nowadays its more dynamic, the path of a request often has no direct relationship to the filesystem. But even now it still deals with stylesheets, images, and so on. The process for them is still same, comparing it to a list of preconfigured mappings between extensions and MIME types

File is non-executable, eg - image or HTML page → server sends the file content in the response

File is executable, and server is configured to execute of that type → server assigns variables based on headers and params in the request, result sent in response