What are sample files used for?

Sample files are used by developers, QA engineers, and designers to test file upload functionality, validate parsers, prototype applications, and verify format support. They provide well-formed examples of real file formats without sensitive data.

Are the sample files free to download?

Yes, all sample files on File Examples are completely free to download. No registration, no limits, and no hidden fees. You can use them for testing, development, and educational purposes.

What file formats are available?

File Examples offers 1000+ sample files in 700+ formats across 50 categories including documents, images, audio, video, code, scripting, AI/ML, blockchain, gaming, firmware, security, science, IoT, DevOps, medical, accessibility, automation, education, legal, API, localization, and many more.

Can I use these files for testing my application?

Absolutely. All files are well-formed, valid examples designed specifically for testing. They contain proper headers, metadata, and realistic content structures — ideal for QA testing, CI/CD pipelines, and development workflows.

How do I download a sample file?

Browse categories or search for a specific format, click on the file you need, and hit the Download button. The file downloads instantly — no signup or email required.

High severity

MIME Spoofing: SVG with Embedded JavaScript (XSS)

An SVG image file containing embedded JavaScript that executes when the SVG is rendered in a browser, enabling cross-site scripting (XSS) attacks.

How This Attack Works

SVG is an XML-based image format that supports embedded <script> tags and event handlers (onload, onclick, etc.). When a user uploads an SVG to a web application that serves it directly, the embedded JavaScript executes in the context of the hosting domain, potentially stealing cookies, session tokens, or performing actions on behalf of the user.

Attack Vector

User uploads SVG avatar/image containing <script>alert(document.cookie)</script>. Application serves it with image/svg+xml MIME type. Browser renders SVG and executes the script.

Real-World Example

Multiple bug bounties have been awarded for SVG XSS on platforms like HackerOne, GitHub, and WordPress. Stored XSS via SVG upload is a common finding in web application security assessments.

Vulnerable Code

<!-- MALICIOUS SVG -->
<svg xmlns="http://www.w3.org/2000/svg">
  <script>
    fetch('/api/admin', {
      headers: { 'Cookie': document.cookie }
    });
  </script>
  <rect width="100" height="100" fill="red"/>
</svg>

Safe Implementation

// SAFE: Sanitize SVG before serving
import DOMPurify from 'dompurify';
const cleanSVG = DOMPurify.sanitize(svgContent, {
  USE_PROFILES: { svg: true },
  FORBID_TAGS: ['script', 'foreignObject'],
  FORBID_ATTR: ['onload', 'onclick', 'onerror'],
});

Safe Handling Guidelines

Sanitize SVG files by stripping <script> tags, event handlers, and foreign objects. Serve user-uploaded SVGs with Content-Disposition: attachment or convert to raster format (PNG). Use CSP headers to prevent inline script execution.

Affected Platforms

Web applicationsCMS platformsImage hosting servicesEmail clients

Related Security Demos

MIME Spoofing: Executable Disguised as PDF

mime-spoofing · critical

CSV Formula Injection (DDE Attack)

injection · high

Related Tools & Resources

MIME Detector Checksum Generator Edge-Case Library Compatibility Matrix