Skip to content

CWE-434: Unrestricted File Upload

Overview

This issue was identified during dynamic (DAST) scanning based on observed runtime behavior indicating that the application accepted and stored uploaded files without enforcing sufficient restrictions on file type, handling, or execution context. Confirmation requires reviewing how uploaded files are processed and stored.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-434 typically indicate that the application accepted uploaded files without sufficient restrictions, such as:

  • Acceptance of files with executable or interpretable content
  • Lack of server-side enforcement of allowed file types
  • Uploaded files being stored in locations where they can be accessed or executed
  • Identical handling of trusted and untrusted file uploads

Evidence is based on runtime acceptance and handling of uploaded content, not on request parameters or payload values.

Mapping DAST Findings to Source Code

CWE-434 does not hinge on a single vulnerable parameter.
The issue resides in how uploaded files are validated, stored, and later handled by the application.

When tracing this issue in code, look for:

  • File upload handling logic
  • Allowlisting of permitted file types and formats
  • Storage location of uploaded files (web-accessible vs isolated)
  • Whether uploaded files are ever executed or interpreted
  • Server or framework configuration that determines how files are served

Remediation

Core Principle: Never allow user-supplied files to influence server execution or interpretation; uploaded files must be treated as untrusted data and stored in a non-executable, isolated context fully controlled by the server.

Verification and Follow-Up Testing

After applying the fix:

1. Reproduce the Original Behavior

  • Attempt to upload files that should not be accepted by the application
  • Observe whether the application previously stored or served these files

Verify the Fix

  • Confirm only explicitly allowed file types are accepted
  • Verify uploaded files are stored in non-executable locations
  • Ensure uploaded content is never interpreted or executed by the server
  • Validate filenames are server-controlled

Test Edge Cases

  • Files with misleading extensions
  • Files containing executable content in allowed formats
  • Large file uploads
  • Uploads to alternative or secondary endpoints

Re-run DAST Scanner

Re-run the dynamic scanner to confirm unrestricted upload behavior is no longer observed.

Additional Resources