Our application has pages where file upload facility is available. During the test it was noted that arbitrary files of different content-type and size could be uploaded.
In one instance, testers could insert benign EICAR Test Virus file and also a binary(notepad.exe) file. It was uploaded and acknowledged as successful.
Multiple attack scenarios could be possible with the above vulnerability as attackers could upload malicious files or files with huge size there by forcing system to malfunction or exhaust system resources.
However we have a file size validation where it allows the file size up to the value entered in site_config.json i.e “max_file_size”.
But we also need to validate the content.
Hearing from anyone who has given a though on this before, would be of a great help.