Malicious file upload leads to off-domain XSS

3 months ago 22

Hello Everyone,

My name is pulla karthik Srivastav (security researcher) from Hyderabad. I am so excited as this is my third write up on vulnerability assessment of web apps. I was searching for a vulnerability disclosure program using the bug bounty dork:

inurl:security.txt site:com

Paste the google dork in browser from that I have selected a vulnerability disclosure program.

Lets start,

Bug type: off-domain XSS

Initially, let us assume the target domain as target.com.

I was searching for some parameters and endpoints, i have observed that the target website has chatbot functionality So, started playing with the input field using some html and XSS payloads but no luck.

I have observed that it has an upload option so i have tried for the file upload vulnerability Boom !! it has no file upload restrictions.

Lets start hunting for XSS,

PROCEDURE :

open the chatbot functionality in target website.

2. Upload the malicious file containing XSS payload, here you can observe that I have bypassed the file restriction using double extensions to upload a malicious file.

XSS payload saved as html file:

<?xml version=”1.0" standalone=”no”?>
<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">
<polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009900" stroke=”#004400"/>
<script type=”text/javascript”>
alert(document.cookie);

</script>
</svg>

the payload is saved as xss.svg.html

File upload bypassing techniques:

Blacklisting Bypass:
Blacklisting can be bypassed by uploading an unpopular php extensions.
such as: pht, phpt, phtml, php3,php4,php5,php6.

Whitelisting Bypass:
Whitelisting can be bypassed by uploading a file with some of tricks, Like adding a null byte injection like ( shell.php%00.gif or shell.php.gif%00). Or by using double extensions for the uploaded file like ( shell.jpg.php )

3. After successful upload hover to the file and open the image in new tab BOOM !! we can see that XSS is fired

Impact:

The vulnerability has a high impact due to it has the possibility to execute arbitrary code in the server context and on the client side. Uploaded files can be exploited to expose other sensitive sections of an application to client-side attacks such as XSS or Cross-site Content Hijacking.

Mitigation:

→Allow Listing File Extensions

→“Content-Type” Header Validation

→Using a File Type Detector

Ethically hacked and Reported

Thanks for Reading.

Happy Hacking!!

Read Entire Article