# **File Upload :**

 * **```Feature allows users to upload files from their local device to a web server, such as images, documents, or other types of data```**

 * **Most Important File Uploading Process :**

     1) User Selects a file from their local system and submits it through the application's interface , then file is sent to the server, typically through an HTTP POST request
     2) The server processes the file, which may involve validating, renaming, moving, or storing it in a specific location, file is stored on the server, in a database, or in a cloud storage system
     3) The file may be accessed later by the user or other users, or it may be used by the server  

 * **File Upload Parameters in The HTTP Request :**

     * **File Name ```(filename)``` :**

         * The original name of the file as uploaded by the user 
         
         * can be used to save the file with its original name or to process it (Validating allowed file type) 
         
         * **Example :** ```filename="ProfilePic.jpg"``` 


     * **Content-Type :**

         * Specifies the MIME type of the file being uploaded

         * server uses this information to understand the type of file being uploaded and to enforce restrictions on allowed file types

         * **Example :** ```Content-Type: image/jpeg```


     * **File Size ```(Content-Length)``` :** 

         * The size of the file in bytes

         * The server may use this to check if the file exceeds any size limits imposed by the application

         * **Example :**  ```Content-Length: 198674```     


     * **File Content :**

         * The actual content of the file **(Binary Data)**

         * At the beginning of a file Content there is a unique sequences of bytes Called **```File signatures```**, also known as **```magic numbers```** :

             * File signatures help in validating that the content of a file matches its expected type

             * Applications can use file signatures to prevent attackers from uploading files with disguised extensions 

             * **Common File Signatures :**

                 * **.jpg image :** 

                     * **Signature (Hexadecimal) :** ```FF D8 FF E0``` or ```FF D8 FF E1```
                     * **Signature (ASCII) :** ```ÿØÿà``` or ```ÿØÿá```

                 * **.png image :** 

                     * **Signature (Hexadecimal) :** ```89 50 4E 47 0D 0A 1A 0A```
                     * **Signature (ASCII) :**  ```.PNG....``` 

                 * **.gif image :** 

                     * **Signature (Hexadecimal) :** ```47 49 46 38 37 61``` or ```47 49 46 38 39 61```
                     * **Signature (ASCII) :** ```GIF87a``` or ```GIF89a``` 


                 * For More <a href="https://en.wikipedia.org/wiki/List_of_file_signatures">Click Here</a>              


***
***
***

# **Unrestricted File Upload Vulnerability :**

 * **```File Upload Vulnerability occurs when an application allows users to upload files but fails to properly validate or restrict what is uploaded```**

 * **Impact :**

     * If the server executes or processes the uploaded file without adequate security checks, it may lead to RCE, privilege escalation, or even a full takeover of the server


 * **Common Scenarios lead to Harmful File Uploading :**


     * **Lack of File Type Validation :**

         * The server might allow files with any extension, enabling attackers to upload potentially malicious executable files **```.php```** , **```.exe```** 

     * **MIME Type Forgery :** 

         * Attackers might manipulate the MIME type of the uploaded file to make it appear harmless **```pretending a PHP script is an image```**    


     * **Lack of Content Validation :** 
     
         * The content of the file is not inspected, so a malicious script may be uploaded even if it has a benign-looking extension  


     * **No File Size Limit :**

         * Attackers could upload extremely large files, which might cause denial-of-service (DoS) by exhausting server resources

     * **Insecure File Storage Location :** 

         * If uploaded files are stored in a publicly accessible location, attackers can access them and trigger malicious actions             


***

 * **Mitigation Techniques :**

     * **File Type Validation :** 
     
         * Strictly enforce allowed file types (e.g., only images with .jpg, .png extensions). Use a whitelist approach instead of a blacklist

     * **Content Inspection :** 
     
         * Ensure the content of the file matches its expected format. For example, an image (.png) file should begin with The Magic Number **```.PNG....```**


     * **Rename Uploaded Files :** 
     
         * Avoid using user-supplied filenames. Rename the file to something random and unique upon upload to avoid file execution issues    


     * **Secure File Storage :** 
     
         * Store uploaded files in a directory that is not web-accessible. Ensure that files cannot be executed even if they are uploaded    

     * **Limit File Size :** 
     
         * Restrict the size of uploaded files to prevent denial-of-service attacks.     


*** 

# **Bypassing Techniques for Mitigation Techniques :**

 * **Bypassing Black-Listing :**

     1) **Try Uncommon Alternative Extensions :**

         * For Example .php Extension Has a lot of Alternatives ( .pht - phtml - phar - inc - phps - phpt - pgif - phtm)  all of These Extension Treated as .php Extension 

     2) **Change Alphabet Case :**

         * The Server May be Just Forbidding .php extension only , But it Doesn't overlook case variations like .PHp or .Php     


 * **Bypassing White-Listing :**

     1) **Double Extension Bypass :** 

         * Involves adding multiple extensions to a file name, where the first extension is allowed by the server, and the second is the actual malicious extension **```FileName.AllowedEx.NotAllowedEx```**

         * **Example :** **```image.jpg.php```** when the file is executed, the server could treat it as a .php


     2) **NULL Byte Bypass :**

         * his exploit uses a null byte (%00 or \x00), which in some programming languages or older systems can terminate strings, tricking the system into ignoring everything after the null byte **```FileName.NotAllowedEx%00.AllowedEx```**

         * **Example :** 
         
             * **```script.php%00.jpg```** systems may only see script.php, ignoring the rest of the name. This can allow the execution of the PHP file despite the server believing it's an image


     3) **Changing Content-Type Header :**

         * involves modifying the Content-Type header in the upload request to make the server believe the file is a different type than it actually is

         * **Example :** 

             * A malicious file like script.php is uploaded with the **```Content-Type: image/jpeg```** , If the server only checks the Content-Type header and not the actual content of the file, it may mistakenly allow the upload of a file that should be blocked         




 * **Tampering with Magic Numbers :**

     * Attackers can manipulate a file's magic number to match a format that the server accepts, while the actual file content remains malicious

     * **Example :**

         * attacker could prepend the magic number of a valid image format (e.g., PNG) to a PHP file, tricking the server into accepting it as an image


 