File upload functionality is ubiquitous in modern web applications—user profile images, document attachments, and media files all rely on this feature. When a user submits a file, the server typically validates properties like file type, extension, size, and renames the file before storing it in a designated directory.

If the backend validation is insufficient or missing, attackers can upload malicious files such as webshells, potentially compromising the entire server. Secure file upload implementation requires:

• Strict validation of file types, extensions, and sizes
• Verification of upload method and request headers
• Complex file renaming schemes
• Concealment of stored file paths

Bypassing Client-Side Validation

Client-side checks are easily circumvented since they run entire in the user's browser.

Demonstration

1. Navigate to the target upload interface and attempt to upload shell.php
2. The upload fails, displaying a restrictive file type error
3. Inspect the page source to locate the validation logic:

<input type="file" accept=".jpg,.png,.gif" onchange="validateFile(this)" />

4. Remove the onchange attribute or disable JavaScript to bypass client validation
5. Upload the PHP file successfully

Client-side validation serves only for user experience improvement and cannot replace server-side security measures.

MIME Type Bypass

MIME (Multipurpose Internet Mail Extensions) types describe file formats and determine how browsers handle specific files. Common MIME types include:

Extension	MIME Type
.html	text/html
.txt	text/plain
.gif	image/gif
.jpg	image/jpeg
.png	image/png

Servers often validate uploads by checking the Content-Type header, but this header can be manipulated by the client.

Demonstration

1. Attempt to upload shell.php directly—the server rejects it
2. Intercept the request with a proxy tool (Burp Suite, etc.)
3. Modify the Content-Type header from application/x-php to image/png
4. Forward the modified request

The server accepts the file based on the misleading MIME type, and the PHP file is stored successfully. This occurs because the server relies on client-supplied headers rather than verifying the actual file content.

Image Validation Bypass Using getimagesize()

The getimagesize() function returns file dimensions and type information by examining file headers and metadata.

array getimagesize ( string $filename [, array &$imageinfo ] )

This function identifies GIF, JPG, PNG, SWF, PSD, TIFF, BMP, and other image formats. If a server uses getimagesize() alone to verify uploaded files, it can be bypassed because image headers can be spoofed.

Demonstration

1. Create a valid image file using system tools:

copy /b image.jpg + webshell.php disguised.jpg

2. This command concatenates a legitimate JPEG file with PHP code, creating a polyglot file
3. Upload the disguised.jpg file to the target
4. The server calls getimagesize() which detects valid image headers and accepts the upload
5. Access the uploaded file directly to execute the embeddded PHP code

This technique exploits the difference between file extension validation and content-type detection.

Recommended Countermeasures

Server-side validation should never depend solely on:

• Client-provided headers or extension checks
• Single function calls like getimagesize()
• File extension blacklists (use whitelists instead)

Implement comprehensive validation including magic byte verification, execution prevention in upload directories, and random filename generation.