Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Bringing UFUs Back into the Air With FUEL: A Framework for Evaluating the Effectiveness of Unrestricted File Upload Vulnerability Scanners

Sebastian Neef, Maath Oudeh

TL;DR

This work addresses the lack of a standardized way to evaluate unrestricted file upload (UFU) vulnerability scanners by introducing FUEL, a Docker-based, modular testing framework that models 15 UFU scenarios. It compares four scanners—FUSE, Fuxploider, ZAP with FileUpload, and BurpSuite UploadScanner—showing none fully covers all scenarios and highlighting broad false-negative risks. To close the capability gap, the authors extend Fuxploider into Fuxploider-NG, which together with FUEL enables reproducible, comprehensive evaluation and demonstrates substantial improvements in detection and exploitation coverage. The work advocates open science by releasing FUEL and Fuxploider-NG, aiming to elevate evaluation standards and guide future UFU research and tool development.

Abstract

Unrestricted file upload (UFU) is a class of web security vulnerabilities that can have a severe impact on web applications if uploaded files are not sufficiently validated or securely handled. A review of related work shows an increased interest in finding new methods to discover such vulnerabilities. However, each publication evaluates its new vulnerability scanner against a different set of artificial or real-world applications available at the time of writing. Thus, we identify the need for a comprehensive testing framework to allow a reproducible comparison between existing and future UFU vulnerability scanners. Our contributions include the File Upload Exploitation Lab (FUEL), which models 15 distinct UFU vulnerabilities in isolated scenarios to enable a reproducible evaluation of UFU scanners' capabilities. The results of evaluating four black-box UFU scanners against FUEL show that no scanner manages to identify all UFU vulnerabilities, leaving real-world websites at risk of compromise due to false negatives. Our work aims to solve this problem by extending an existing UFU scanner with multiple new detection and exploitation techniques, which we call Fuxploider-NG, to increase its accuracy from ~50% to over 90%, thereby surpassing the capabilities of existing UFU scanners and showcasing the importance of FUEL as a UFU vulnerability evaluation framework. To foster open science and future work in this area, we open-source FUEL and Fuxploider-NG.

Bringing UFUs Back into the Air With FUEL: A Framework for Evaluating the Effectiveness of Unrestricted File Upload Vulnerability Scanners

TL;DR

This work addresses the lack of a standardized way to evaluate unrestricted file upload (UFU) vulnerability scanners by introducing FUEL, a Docker-based, modular testing framework that models 15 UFU scenarios. It compares four scanners—FUSE, Fuxploider, ZAP with FileUpload, and BurpSuite UploadScanner—showing none fully covers all scenarios and highlighting broad false-negative risks. To close the capability gap, the authors extend Fuxploider into Fuxploider-NG, which together with FUEL enables reproducible, comprehensive evaluation and demonstrates substantial improvements in detection and exploitation coverage. The work advocates open science by releasing FUEL and Fuxploider-NG, aiming to elevate evaluation standards and guide future UFU research and tool development.

Abstract

Unrestricted file upload (UFU) is a class of web security vulnerabilities that can have a severe impact on web applications if uploaded files are not sufficiently validated or securely handled. A review of related work shows an increased interest in finding new methods to discover such vulnerabilities. However, each publication evaluates its new vulnerability scanner against a different set of artificial or real-world applications available at the time of writing. Thus, we identify the need for a comprehensive testing framework to allow a reproducible comparison between existing and future UFU vulnerability scanners. Our contributions include the File Upload Exploitation Lab (FUEL), which models 15 distinct UFU vulnerabilities in isolated scenarios to enable a reproducible evaluation of UFU scanners' capabilities. The results of evaluating four black-box UFU scanners against FUEL show that no scanner manages to identify all UFU vulnerabilities, leaving real-world websites at risk of compromise due to false negatives. Our work aims to solve this problem by extending an existing UFU scanner with multiple new detection and exploitation techniques, which we call Fuxploider-NG, to increase its accuracy from ~50% to over 90%, thereby surpassing the capabilities of existing UFU scanners and showcasing the importance of FUEL as a UFU vulnerability evaluation framework. To foster open science and future work in this area, we open-source FUEL and Fuxploider-NG.
Paper Structure (29 sections, 3 figures, 2 tables)

This paper contains 29 sections, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background & Related Work
  3. PHP
  4. File Upload Process
  5. File Selection
  6. File Transfer
  7. File Processing
  8. Unrestricted File Upload
  9. Improper Validation
  10. Vulnerabilities
  11. Related Work
  12. FUEL
  13. Design
  14. UFU Scenarios
  15. Evaluation
  16. ...and 14 more sections

Figures (3)

  • Figure 1: A simplified schema of the file upload and retrieval steps.
  • Figure 2: An example multipart/form-data encoded file upload HTTP request with the UFU-relevant manipulation points highlighted.
  • Figure 3: Depiction of FUEL's design using multiple isolated containers.