February 2026
FUD: Behavioral and Structural File Upload Detection
Intelligent Identification of File Upload Interfaces in Modern Web Architectures
KEREM DÜZ
Page Contents
System Overview
The File Upload Detector (FUD) project introduces a hybrid, behavioral-driven approach to automatically identify file upload functionalities across the modern web. Traditional detection mechanisms predominantly rely on static keyword-based heuristics—searching for terms like "upload", "browse", or "file"—which frequently fail when encountering modern, JavaScript-heavy applications. Such applications often utilize non-standard labels, customized UI components, or dynamic form logic that remains invisible to conventional scrapers.
FUD overcomes these technical barriers by integrating Hybrid Execution Analysis. By leveraging a high-performance Headless Browser Engine and intelligent DOM Injection, the system moves beyond mere text-based identification to perform deep structural analysis in real-time. This approach allows for the detection of upload interfaces hidden within Shadow DOMs, complex nested iframes, or those managed by third-party dynamic libraries.
The system is deployed as a scalable Asynchronous Microservice, capable of handling concurrent scanning requests with high throughput and low resource latency, making it an essential tool for large-scale security auditing of web infrastructures.
Dataset Construction and Feature Engineering
The foundation of the File Upload Detector (FUD) is built upon a diverse dataset of target URLs, including high-traffic domains, enterprise portals, and complex web applications. The dataset was meticulously curated to represent a wide spectrum of file upload implementations, ranging from standard HTML forms to sophisticated, asynchronous uploaders. Each URL was subjected to manual verification to establish a ground truth for "Upload-Enabled" vs. "Non-Upload" interfaces.
To ensure precise identification, FUD extracts a series of engineered features that represent the structural, behavioral, and relational properties of the target page:
- Input Signature Distribution: Quantitative analysis of
<input type="file">tags and their associated attributes such asacceptandmultiple. - Library-Specific Heuristics: Detection of DOM signatures belonging to specialized upload frameworks, including Dropzone.js, Uppy, FilePond, and Plupload.
- Asynchronous & Dynamic Patterns: Identification of late-loading (hydrated) elements that are injected into the DOM after the initial page load, capturing inputs managed by SPAs (Single Page Applications) without requiring traditional event listener analysis.
- DOM Hierarchy & Structural Proximity: Analysis of the spatial and logical relationship between "Upload" buttons and hidden input fields, including depth analysis within the Shadow DOM via recursive injection.
- Technical Attribute Metadata: Extraction of form-level metadata, such as
enctype="multipart/form-data"and specific API endpoints typically associated with file handling.
This multi-layered feature design ensures robust detection capabilities across multi-language environments and visually obfuscated or non-standard upload interfaces, significantly reducing the likelihood of false negatives.
Evolution of Detection Strategy (Methodology)
The development of File Upload Detector (FUD) followed an iterative, experimental process to overcome the limitations of traditional web scraping. Each stage was evaluated against a manually labeled ground truth dataset of 341 unique URLs.
Phase I: Heuristics & Static Analysis
Initially, the system relied on Keyword-Based Heuristics (searching for "upload",
"attachment", etc.). While this provided a baseline accuracy of 84.6%, it suffered from
significant false positives in multi-language environments. A follow-up attempt using static
Raw HTML Detection (<input type="file">) proved even less effective
(46.3% accuracy), as modern applications often hide or abstract these elements.
Phase II: From Static Regex to Rendered Analysis
To improve discovery, we implemented specialized Regex Patterns targeting common library signatures. While static Regex was faster, the breakthrough occurred when moving to Rendered HTML Analysis. By evaluating the page after JavaScript execution, discovery rates jumped significantly (95.8%) as dynamically generated upload patterns became visible.
Phase III: Transition to Modern Headless Rendering
The transition from legacy automation tools to a Next-Generation Browser Engine was driven by a need for higher concurrency and speed. Initially, a slight drop in accuracy (from 94.7% to 92.3%) was observed due to timing discrepancies in asynchronous page loads.
- Performance Tuning: To maximize throughput, the engine was optimized to block redundant network resources such as images, media, and heavy CSS at the protocol layer. This focused the rendering engine exclusively on DOM elements relevant to file-handling logic, significantly reducing latency.
Phase IV: Service-Oriented Architecture (Current Production)
The final iteration transformed the detection engine into a fully independent microservice to support enterprise-scale scanning.
- Asynchronous API Integration: The engine now runs behind a high-performance interface server.
- Lifespan Management: Utilizing context managers, the browser instance is initialized once at startup and reused across requests, reducing latency by ~600ms per scan compared to Phase III.
- Concurrency Control: Semaphore-based locking mechanisms limit active browser contexts to prevent resource exhaustion on the host machine while maintaining high throughput.
Performance Results
| Detection Stage | Accuracy | Note |
|---|---|---|
| Keyword Search | 84.6% | High False Positives |
| Raw <input> Check | 46.3% | Insufficient for Modern Web |
| Rendered HTML (Total) | 95.8% | Significant Discovery Jump |
| Legacy Browser Engine | 94.7% | Accurate but Slow |
| Modern Headless Engine | 92.3% | Tradeoff during migration |
| FUD Microservice (Current) | 96.76% | Optimal Accuracy & Performance |
Key Findings and Insights
- Shadow DOM & Iframe Blindness: Traditional crawlers are blind to ~15% of upload interfaces hidden in Shadow DOM or nested iframes. FUD's JS Strict Scan successfully penetrates these layers.
- The Hydration Challenge: Tools that fail to wait for full DOM hydration often miss dynamic uploaders. FUD overcomes this by emulating authentic browser event loops to ensure all components are loaded.
- Resource Efficiency: By intercepting and blocking non-essential media (images/CSS) reduced the average scan time per URL by 40% without compromising detection integrity.
These findings emphasize the importance of combining structural DOM analysis with resource-optimized browser rendering for scalable detection across the modern web.
Future Research and Improvements
- Extended Library Coverage: Expand detection signatures to include emerging upload frameworks and custom implementations.
- Vulnerability Correlation: Integrate with vulnerability scanners to automatically test detected upload endpoints for unrestricted file upload flaws.
- Machine Learning Enhancement: Apply ML-based classification to improve detection accuracy on edge cases and novel upload patterns.
- API Endpoint Discovery: Extend detection to identify backend file handling APIs beyond frontend interfaces.
Conclusion
FUD validates that a structural, resource-optimized browser approach is superior to static analysis for mapping the modern web's attack surface. By combining lightweight static checks with heavy-duty DOM analysis only when necessary, FUD delivers a scalable, accurate, and framework-agnostic solution.
This tool not only advances the accuracy of file upload identification but also lays the groundwork for automated vulnerability scanners targeting unrestricted file upload flaws on a mass scale.
