Email Subscription Form

Saturday, August 3, 2019

Six Tips and Four Tools for File Upload Testing

I've been testing file uploads lately, which is always fun.  It's also important, because uploading a malicious file is one of the ways that a bad actor can exploit your application, either by taking down your application, or by extracting sensitive data from it.  In this week's post, I'll offer six tips and four tools to help you be successful with testing file uploads.


Tip One: Upload Files With Allowed and Forbidden Extensions

The first step in testing file uploads is to find out what kinds of files will be allowed to be uploaded.  These files should be in the form of a whitelist, NOT a blacklist.  A whitelist specifies that only certain extensions will be allowed, whereas a blacklist specifies what is not allowed.  You can imagine that when a blacklist is used, there are dozens and dozens of file types that will be allowed, some of which you will not want in your application!  Therefore, it's important to use a whitelist instead, which will be limited to the very few types of files that you want interacting with your application.  If your developers are not using a whitelist, please share this information with them.

Once you know what the whitelisted file types are, try uploading each type.  Then try uploading a wide variety of files that are not whitelisted.  Each of those files should be rejected with an appropriate error message for the user.

Tip Two: Upload Files With Inaccurate Extensions

One of the tricks malicious users employ to upload forbidden files is to rename a malicious file with an allowed extension.  For example, a bad actor could take a .js file and rename it as a .jpg file.  If .jpg files are allowed in your application, the file might be uploaded and then executed when opened by an unsuspecting user.  So it's important for your application to have checks in place to not only verify the extension, but also to scan the file to verify its type.  

It's easy to test this by simply taking a forbidden file, renaming it to have an allowed extension, and attempting to upload the file.  The file should be rejected with an appropriate error message.  The attempt should also be logged by the application, so if there is ever an upload attempt of this kind in production your security team can be alerted.

Tip Three: Test for Maximum File Size

Your application should specify a maximum file size.  Files that are too big can cause damage to your application either by slowing it down or causing it to crash, and can even cause data to be accidentally exposed, such as in a buffer overflow exploit.  

Find out what your application's maximum file size is, and verify that files equal to and less than that size are uploaded appropriately.  Then verify that files over that maximum size are rejected with an appropriate error message.  Be sure to test with files just over the maximum size, and with files well over the maximum size.  

Tip Four: Test With Animated GIFs

Often when image uploads are allowed in an application, the .gif extension is one of the allowed types.  GIFs can sometimes contain animation.  Verify with your team whether your application will allow animated GIFs, and if not, verify what should happen if a user uploads one.  Will the file just display as a static image, or will the file be rejected?  Make sure that uploading an animated GIF does not result in a broken image on the page.  If animated GIFs are accepted, verify that it loads and displays the animation properly (see the next tip).  

Tip Five: Verify That the File Was Uploaded Correctly

It's not enough to verify that you don't get an error message when you upload a whitelisted file.  You also need to verify that the file was saved to the database correctly.  The easiest way to do this is to download the file and make sure it looks the same way it did when you uploaded it.  If your file should be displayed in the UI, you should make sure that the file looks correct in a browser or on a mobile device.  If an image that you uploaded should be resized on the page, make sure that it has resized correctly.  You don't want to have other data obscured because someone uploaded an image that's too large!  If you are expecting a video or audio file to play, make sure it's playable. 

Tip Six:  Have a Folder With File Examples for Testing

My favorite tip is to have a folder filled with files of all kinds for use in testing.  I have a folder with tons of files with different extensions and a wide variety of sizes.  This way whenever I need to test file uploads, I'm ready to go with test files and I don't have to waste time combing the internet for good examples to use.  

This brings me to my Four Tools for File Upload Testing!


I recently discovered this site when I realized that I needed some files with a .doc rather than a .docx extension.  This site definitely delivered, and it has many other example files as well.


I mentioned this tool in my Fifteen Free Tools to Help With Testing post.  When you need to test file size limitations, you can use this tool to create files of all different sizes.


This is an extensive, easy-to-read list of all the MIME types and their extensions.  It's very helpful when you want to identify less common file types to test with, or when you are wondering what MIME type goes with a certain extension.  

Tool Four: Eicar Test File

If your application has virus-checking for uploaded files, you will want to use this test file.  It is a file that is designed to look like it has a virus, but it is actually virus-free.  You may find, however, that if your computer has virus-checking you won't actually be able to download the file!  I was able to get around this by having someone send me the text of the file through chat, and then I pasted the text into the raw input window of Postman for my upload request.  

File uploads are one of my favorite things to test.  If you follow these tips and use these tools, it may become one of your favorites as well!

2 comments:

  1. Nice post Kristina.
    Recently I unearthed one security defect from our appplication that relates to file uploads. Our application is built with a security feature that it do not usually allows cross site scripting (xss) through browswrs.
    What I did was, i inserted a simple XSS script in one of the upload file, an excel file that we use for uploading some data related to application functionality. Application inserted entire content in to its db and also the XSS script.
    when ever user was navigating to the UI to look at the uploaded data, the browser was executing XSS also. which was not good and a loophole :)

    ReplyDelete
    Replies
    1. Wow, that's a great find! What a good idea to put an XSS script into an Excel file!

      Delete

Code Like a Developer...

I'll be honest: I don't love coding.  Don't get me wrong, I love test automation!  I love the feeling of solving a technical cha...