Introduction
While there are numerous techniques for testing file upload vulnerabilities (including tools such as Fuxploider https://github.com/almandin/fuxploider.git) a lesser-known method is extension truncation. In this technique, an otherwise disallowed file is renamed to include an additional extension, preceded by a large number of spaces. This approach can potentially bypass file extension whitelisting mechanisms, causing the application to accept and store the original (potentially malicious) file. As a result, users who later download the file may inadvertently receive the malicious payload.
Initial testing
Before proceeding, it is recommended to test the application to verify whether it relies solely on the file extension to validate uploaded files.
To do this, take a benign file of a disallowed type (for example, cmd.exe) and rename it with an approved extension, such as cmd.csv (if the upload functionality only accepts .csv files).
Attempt to upload this renamed file. If the application accepts the file, you can proceed to the next step.
Testing for extension truncation
You can now perform the following steps to test for extension truncation:
- Select your payload file (e.g., exploit.exe or the previously used benign cmd.exe file)
- Rename the file by inserting the maximum number of spaces before appending an approved extension, such as .csv. The file should appear as follows:
- Upload the file to the target application.
- Access the application’s download area and download the file. Check whether the .csv extension has been dropped; if so, the file will be downloaded as exploit.exe, as shown below:
If the application allows files to be downloaded without authentication, this vulnerability could serve as a prime entry point for distributing malware within an organisation, potentially allowing attackers to gain an initial foothold.
Conclusion
Extension truncation is a subtle yet highly effective technique for bypassing file upload restrictions that rely solely on file extensions. As demonstrated, attackers can exploit this weakness to upload and distribute malicious files, potentially compromising users and internal systems. This highlights the critical importance of implementing robust file validation mechanisms on both the client and server sides, going beyond simple extension checks to include thorough inspection of file content and metadata. Regular security testing, including checks for extension truncation, is essential to safeguard applications against such vulnerabilities and to protect users from potential threats.
Feel free to contact us If you have any questions or would like to discuss this topic further (including scheduling a security assessment of your web applications or file upload functionality).