In order to test effectively the file upload module needs to have specific functionality developed.
For example, here are some of the list of requirements file upload feature must have in order to be a good module in your webapp.
- Set the file size required for the webapp. Make sure file upload module recognizes the limits of file size.
- If you allow only specific set of files then whitelist those file types.
- Depending on the programming language, set the content type for the files being uploaded.
- File upload module should have the file type recognizer functionality built into it.
- File upload feature should remove the special characters within the textarea field if provided.
- Accept alphanumeric content in the file names.
- Accept characters and alphanumeric content in names.
- Don’t accept the file types that leads to SQL injection.
- Include server level file scan.
- Don’t accept empty files with extension that leads to SQL injection.
- Restrict file name typing instead offer file browsing dialog box to upload button.
- Authorize the file upload and transfer to only registered accounts if required.
- Make sure server side checks for the file size limits.
- Create new copy of the same uploaded file to avoid overwriting.
While some features can be implemented within the application. We should also think about the file upload feature in terms of security issue. Here are some security options to check while testing the application.
- Upload black listed files and try executing.
- Upload executable file and execute on server.
- Upload HTML file with XSS script embedded into it.
- Upload virus file and measure the response.
- Upload files consistently without any wait period (denial of service check).
- Try to upload file as a guest user or anonymous user.
These are some of the basic options to check when it comes to security testing of the file upload module.
Typical File Upload feature on file upload sites like Dropbox or Google Drive.
Here are some of the test cases and scenarios that you should consider while manual testing the module.
- Is the uploader limited to single file or the multiple file?
- Is the uploader drag and drop type?
- Does the uploader requires browsing to file using browse button?
- Does the uploader depends on any third party plugin?
- Is the uploader custom built or makes use of existing framework?
- Does the uploader supports drag and drop from tablet app?
- Does the uploader gets affected by third party plugins or API if it is dependent on their services?
- Does the uploader has any third party API security issues?
- Does the uploader includes progress bar to show estimated time left for file upload?
- Does the file uploader displays file size uploaded?
- Does the file uploader has any file size requirements?
- What are the minimum file size requirements of file uploader?
- Does the file size has any limits?
- Can you upload the file size outside the limitations of the uploader?
- What are the maximum file size accepted in the uploader?
- Does the uploader accepts image files in the format – jpg, gif, png?
- Does the uploader accepts document formats – pdf, doc, txt, xlsx?
- Does the uploader has any other specific application format requirement?
- Does the uploader has any specific file format blacklisted for security reasons?
- What are the some of the file formats white listed by the uploader?
- Does the system allows cancelling the upload?
- Does the system allow cancelling multiple uploads?
- Does the uploader open browse for file dialog box when clicked on button?
- Does the uploader shows “success” message after upload?
- Does the uploader shows error message if failed?
- How does the uploader behaves if the no file is uploaded?
- How does the uploader respond if some files in multi upload fail?
- What message does it display if the files failed to write on server space?
- What message is displayed if the chosen file only gets partially uploaded?
- What message is shown if the file exceeds maximum file size?
These are some of the test cases that you can try while testing the file upload feature of webapp. If you have suggestion for any additional features to test or have any idea of missing one then do let me know in the comments. I’d appreciate if you share the article on social media. 🙂