Unrestricted file upload (UFU) is a class of web security vulnerabilities that can have a severe impact on web applications if uploaded files are not sufficiently validated or securely handled. A review of related work shows an increased interest in finding new methods to discover such vulnerabilities. However, each publication evaluates its new vulnerability scanner against a different set of artificial or real-world applications available at the time of writing. Thus, we identify the need for a comprehensive testing framework to allow a reproducible comparison between existing and future UFU vulnerability scanners. Our contributions include the File Upload Exploitation Lab (FUEL), which models 15 distinct UFU vulnerabilities in isolated scenarios to enable a reproducible evaluation of UFU scanners' capabilities. The results of evaluating four black-box UFU scanners against FUEL show that no scanner manages to identify all UFU vulnerabilities, leaving real-world websites at risk of compromise due to false negatives. Our work aims to solve this problem by extending an existing UFU scanner with multiple new detection and exploitation techniques, which we call Fuxploider-NG, to increase its accuracy from ~50% to over 90%, thereby surpassing the capabilities of existing UFU scanners and showcasing the importance of FUEL as a UFU vulnerability evaluation framework. To foster open science and future work in this area, we open-source FUEL and Fuxploider-NG.

翻译：无限制文件上传（UFU）是一类Web安全漏洞，若上传文件未得到充分验证或安全处理，可能对Web应用程序造成严重影响。对相关工作的回顾表明，学界对发现此类漏洞的新方法兴趣日增。然而，每篇文献均基于撰写时可获得的不同人工或真实应用程序集来评估其新型漏洞扫描器。因此，我们认识到需要一个综合性测试框架，以实现现有及未来UFU漏洞扫描器之间的可复现比较。我们的贡献包括文件上传利用实验室（FUEL），该框架在隔离场景中建模了15种不同的UFU漏洞，从而支持对UFU扫描器能力进行可复现评估。使用FUEL评估四种黑盒UFU扫描器的结果表明，没有扫描器能识别所有UFU漏洞，因漏报导致真实网站面临被攻破的风险。本研究旨在通过扩展现有UFU扫描器，引入多种新型检测与利用技术（我们称之为Fuxploider-NG）来解决此问题，将其准确率从约50%提升至90%以上，从而超越现有UFU扫描器的能力，并彰显FUEL作为UFU漏洞评估框架的重要性。为促进该领域的开放科学与未来研究，我们将FUEL与Fuxploider-NG进行开源。