SECURITY TESTING
Secure File Upload Testing.
Hands-on checks Practical security checks for file upload features — allowed and blocked types, MIME checks, size limits, filenames, and who can access uploaded files.
When to use this page: When a feature lets users upload files and you want to confirm dangerous or incorrect files are rejected and stored files are properly access-controlled.
File upload is a high-risk feature because it accepts content and then often stores, serves or previews it. QA can cover most of the risk with safe checks: what the app accepts and blocks, how it validates files, and who can reach a file once it is stored. No malware or exploit files are needed — use ordinary safe test files.
// What to verify
- Allowed file types upload successfully.
- Blocked file types are rejected with a clear message.
- File size limits are enforced (too-large files rejected).
- Empty and corrupted files are handled gracefully.
- Malware-scan status is respected where the product has scanning.
- Private files are not reachable without permission.
- Deleted files are no longer downloadable.
- Preview and download respect the user's permissions.
// File validation checks
| Check | Safe test idea |
|---|---|
| Extension vs type | Rename a .txt to .png and upload — confirm the server validates real content, not just the extension. |
| MIME type | Confirm the server checks the declared MIME type and rejects mismatches. |
| Double extension | Upload a file named report.pdf.exe and confirm it is rejected. |
| File size | Upload just over the documented limit and confirm a clean rejection, not a crash. |
| Empty file | Upload a 0-byte file and confirm a clear, non-breaking error. |
| Corrupted file | Upload a truncated image and confirm it is handled without a stack trace. |
| Long filename | Upload a file with a very long name and confirm it is truncated or rejected safely. |
| Special characters in filename | Use spaces, unicode and symbols and confirm they are handled and displayed safely. |
Check a MIME type
Use the MIME Type Checker utility to confirm what type the server should expect for a given file.
Open the MIME Type Checker// Storage and access checks
- User A cannot access User B's uploaded file by changing the id or URL.
- A removed user can no longer access files they previously could.
- A file/share link expires when it is supposed to.
- A private file is not indexed publicly or reachable by direct URL.
- A deleted file returns 404 / access-denied, not the file.
- File preview respects the same permissions as download.
Test the direct file URL
Copy the direct URL of an uploaded file and open it while logged out, or as a different user. A private file should not load. This is one of the most common real-world upload bugs.
// Evidence to collect
- The file used (type, size, filename) and the upload endpoint.
- Expected vs actual result (accepted/rejected, status code).
- For access checks: the role/account used and the direct URL tested (file contents not attached).
- Screenshots of the UI and network panel.
// When to escalate
- A private or deleted file is reachable by direct URL or by another user.
- A blocked or executable file type is accepted by the server.
- An upload error exposes internal paths, stack traces or storage details.
// Related resources