File Upload Testing
// Definition
A testing discipline verifying that an application handles file uploads correctly across all dimensions: accepted types, size limits, malformed content, and security boundaries. A complete test strategy covers the happy path, boundary values (file exactly at and one byte over the size limit), type validation (correct extension with mismatched Content-Type MIME type; double extensions such as .php.jpg), empty files, zero-byte files, filenames with special characters, concurrent uploads, and interrupted uploads. Security-relevant tests include attempting to upload executable files to endpoints that serve user content, verifying that upload endpoints reject unauthenticated requests, and confirming stored files are served with Content-Disposition: attachment to prevent in-browser execution. Always test server-side validation independently from any client-side validation — client-side checks are easily bypassed.
// Related terms
MIME Type
A label (e.g. application/json, image/png, text/csv) that declares the format of a file or HTTP body, carried in the Content-Type header. Testing concerns include: mismatches between the declared type and actual content (a server returning HTML with Content-Type: application/json), frontend code that trusts the extension rather than the declared type, and upload endpoints that validate MIME type purely client-side — allowing an attacker to spoof it. Test by sending requests with mismatched Content-Type headers and verify the server rejects or handles them safely.
Boundary Value Analysis
Testing values immediately at and around boundaries (e.g., min, max, just-below, just-above). Bugs cluster at edges — this technique catches off-by-one errors that equivalence partitioning alone misses.
Equivalence Partitioning
Dividing the input space into groups where the system should behave identically, then testing one representative value per group. Reduces redundant test cases dramatically without losing coverage.