File Security Demonstrations
Educational demonstrations of file-based security risks. Learn how attackers exploit MIME types, file extensions, and metadata — and how to defend against these attacks with safe handling code examples.
MIME Spoofing
Files that lie about their content type
MIME Spoofing: Executable Disguised as PDF
An executable file (.exe) with its Content-Type header set to application/pdf, tricking browsers and email clients into treating it as a safe document.
MIME Spoofing: SVG with Embedded JavaScript (XSS)
An SVG image file containing embedded JavaScript that executes when the SVG is rendered in a browser, enabling cross-site scripting (XSS) attacks.
Double Extensions
Filename tricks that hide the real extension
Double Extension: document.pdf.exe
A file using a double extension like 'report.pdf.exe' that appears as a PDF in Windows Explorer (which hides known extensions by default) but is actually an executable.
Right-to-Left Override: Filename Direction Trick
A filename containing the Unicode Right-to-Left Override character (U+202E) that reverses the visual display of the extension, making 'photo[RLO]gnp.exe' appear as 'photoexe.png'.
File Injection
Malicious content embedded in data files
Metadata Risks
Privacy and security risks from file metadata
File Security Checklist
Upload Validation
- ✓ Verify magic bytes, not just extension
- ✓ Check for double/multiple extensions
- ✓ Strip Unicode control characters from filenames
- ✓ Enforce file size limits
- ✓ Whitelist allowed MIME types
Content Processing
- ✓ Sanitize SVG files (strip scripts)
- ✓ Strip EXIF metadata from images
- ✓ Escape CSV formula characters
- ✓ Serve user files with Content-Disposition: attachment
- ✓ Use CSP headers to prevent inline execution