Skip to main content

File Upload

Lab: DVWA
Scenario: File Upload Vulnerability
Difficulty: Advanced
Estimated Time: 40 minutes

Learning Objectives

By the end of this scenario, you will be able to:

  • Identify file upload vulnerabilities
  • Understand the risks of unrestricted file uploads
  • Exploit file upload functionality
  • Implement secure file upload controls

Setup

Prerequisites

  • DVWA lab running at CSN Labs
  • Web browser (Chrome/Firefox recommended)
  • Security level set to "Low"

Initial Configuration

  1. Log into DVWA
  2. Set security level to "Low"
  3. Navigate to "File Upload" module

Scenario Story

You are testing a web application's file upload functionality. The application allows users to upload files, but may not properly validate or restrict what can be uploaded. Your goal is to understand file upload vulnerabilities and their impact.

Step-by-Step Walkthrough

This scenario walkthrough will be completed with detailed steps.

Why This Works

File upload vulnerabilities occur when:

  • File type validation is insufficient
  • File content is not properly checked
  • Uploaded files are stored in web-accessible directories
  • Executable files can be uploaded and executed

Defender Notes

How to Detect

  • Monitor file uploads for suspicious types
  • Scan uploaded files for malicious content
  • Review file storage locations and permissions
  • Check for executable files in web directories

How to Prevent

  1. File Type Validation: Validate file types both by extension and content
  2. Secure Storage: Store uploaded files outside web root or with restricted access
  3. File Scanning: Scan uploaded files for malware
  4. Size Limits: Enforce file size restrictions
  5. Rename Files: Rename uploaded files to prevent direct access

Try These Variations

Easy

  • Upload different file types
  • Test basic file type restrictions

Medium

  • Attempt to bypass file type validation
  • Test for path traversal in file names

Hard

  • Try advanced file upload techniques
  • Attempt to upload and execute web shells
  • Test for race conditions

Evidence Checklist

Capture screenshots of:

  • File upload form
  • Successful malicious file upload
  • File execution or access
  • Bypass techniques used

Next Steps