← All posts

Red-Teaming Synthos: Pen-Testing Our Own Upload Pipeline

June 14, 2026 · 6 min read

By Iseoluwa Promise, Cybersecurity Engineer at Genovo Technologies

When your product’s front door accepts arbitrary half-terabyte files from the internet, you do not wait for a bug bounty report to find out what happens with hostile input. Attacking our own ingestion path is a standing internal exercise, and it has paid for itself several times over.

The attack surface starts before any byte is uploaded: the initiation endpoint that mints signed URLs. We probe it for the classics — extension confusion, content-type spoofing, path traversal in filenames, oversized and zero-byte declarations, and attempts to mint URLs against other users’ dataset IDs. Authorization on identifiers gets special attention because IDOR in a multi-tenant data platform is the nightmare scenario.

Hostile files, contained

Then come the payloads. Archive formats invite zip bombs and path-escaping entries; columnar formats invite malformed metadata designed to crash or exhaust parsers; CSVs invite formula injection aimed at whoever eventually opens an export. Our assumption is that parsers will eventually meet a file crafted specifically for them, so parsing runs in isolated workers where a crash is an incident report, not an outage.

The signed-URL design earns its keep here: application servers never proxy file bytes, so an exploit against a parser lands in a blast-radius-limited worker rather than in the serving path holding everyone’s sessions.

Fixes over findings

A pen test that produces a report and no diffs is expensive theater. Every exercise ends in tickets with owners: allowlists tightened at both client and API, filename normalization before storage-key derivation, upload state machines that refuse impossible transitions. Then we re-run the same attacks to confirm the fix — because the second-most-dangerous state after vulnerable is “believed fixed.”