File Upload Bugs

// 3 bugs

Bugs in file type validation, size limits, upload progress, storage, and file preview.

// Why it matters

File upload bugs range from minor UX problems to serious security vulnerabilities. Accepting the wrong file type, bypassing size limits, or leaving a private file publicly accessible via a direct URL are all real-world bugs that testers should know how to test for.

// Common symptoms

Unsupported file type is accepted and uploaded without an error
File larger than the stated limit is accepted
Upload progress shows 100% but the file is missing from storage
File with special characters in the name breaks the upload silently
Private uploaded file is publicly accessible via its direct URL
Valid file is rejected with no clear error message

// Testing types:Manual testingSecurity testingNegative testingExploratory testingAPI testing

Practice this → Hunt these bugs hands-on in the Buggy Web App.

// Bugs in this category

Difficulty

Severity

Showing 3 of 3 bugs

Unsupported MIME Type AcceptedHigh

A file upload endpoint that restricts acceptable file types to image/jpeg, image/png, and application/pdf accepts a file whose MIME type is application/octet-stream (an executable). The upload succeeds and the file is stored, because validation is enforced only in the frontend — the backend API does not re-validate the Content-Type or inspect the file's magic bytes.

IntermediateSecurity testingAPI testingManual testingNegative testing

Large File Accepted Despite Size LimitMedium

The application documents a 10 MB file upload limit, but a 25 MB file is accepted by the backend and stored successfully. The size check is enforced only by the frontend, so a request sent directly to POST /api/documents/upload bypasses the limit entirely.

BeginnerManual testingAPI testingNegative testing

Private File Accessible by Direct URLHigh

A file that should only be visible to its owner (or to authorised users) can be downloaded by anyone who has the direct file URL — including logged-out users and other accounts. The application checks permissions on the page that lists the file, but the storage URL itself serves the file with no access check.

BeginnerSecurity testingManual testingAPI testing

// Explore other categories

Authentication Bugs

Bugs in login, logout, password reset, session management, tokens, and multi-factor flows.

6 bugs

Permission and Authorization Bugs

Bugs where users can access, edit, delete, or view resources they shouldn't be allowed to.

5 bugs

API Bugs

Bugs in HTTP status codes, request validation, response schemas, error messages, and API contracts.

4 bugs

UI and Frontend Bugs

Bugs affecting layout, forms, responsiveness, error messages, and how the interface behaves across browsers and screen sizes.

2 bugs

Data Bugs

Bugs involving incorrect, duplicated, stale, missing, or inconsistent data across the application.

5 bugs

Payment Bugs

Bugs in checkout flows, payment retries, webhooks, refunds, subscriptions, and invoices.

4 bugs

Time and Date Bugs

Bugs caused by timezone mismatches, daylight saving transitions, date range errors, and locale differences.

3 bugs

Search and Filter Bugs

Bugs in search results, filters, pagination, sorting, and result counts.

2 bugs

Notification Bugs

Bugs in email delivery, push notifications, in-app alerts, webhooks, and notification preferences.

2 bugs

// Practise finding these bugs

Hunt file upload bugs hands-on in a live practice app, then check your findings against the seeded-bug answer guide.

Buggy Web AppBeginner to IntermediateWeb app Insurance Claims Practice AppIntermediateDomain workflow