XSS Posture--File upload XSS

XSS Posture--File upload XSS

Original link: http://brutelogic.com.br/blog/

0x01 Brief Introduction

A file upload point is a great opportunity to execute an XSS application. Many sites have user rights to upload a profile picture of the upload point, you have many opportunities to find the relevant loopholes. If it happens to be a self XSS, you can look at this post.

0x02 Example Analysis

First of all we can basically find an attack entry point similar to the one below, which I think is not difficult.

Posture One: File name method

The filename itself may be reflected on the page so a file with an XSS name can act as an attack.

Although I did not prepare the shooting range, you can choose to practice this XSS in W3Schools.

Posture II: Metadata

Using ExifTool This tool can cause a certain reflection by changing the EXIF metadata to a certain degree:

$ Exiftool-field = XSS FILE

For example:

$ Exiftool-artist= ' "> ' Brute.jpeg

Posture Three: Content

If the app allows uploading files in SVG format (which is actually an image type), then files with the following content can be used to trigger XSS:

<svg xmlns= "Http://www.w3.org/2000/svg" onload= "alert (document.domain)"/>

A POC is used to verify. You can see the effect by visiting Brutelogic.com.br/poc.svg

Posture Four: Source

Create a GIF image that carries a JavaScript payload as a source for a script. This is useful for bypassing the CSP (content security policy) to protect "Script-src '" (that is, the XSS method that does not allow the use of the sample <script>alert (1) </script>). But only if we are able to successfully inject in the same domain as shown below.

To create such an image you need this as content and name, and use the. gif extension:

Gif89a/*<svg/onload=alert (1) >*/=alert (document.domain)//;

This GIF's image header--gif89a, as the variable for alert function, is assigned to the alert function. But between them, there is also a labeled XSS variable to prevent the image from being restored to the text/html mime file type, so just send a request for the file payload can be executed.

As we can see below, Exif_imagetype () and getimagesize () in the file-class UNIX commands and PHP functions recognize them as a GIF file. So if an application is simply using these methods to verify if it is an image, then the file will be uploaded successfully (but may be killed after uploading).

0X03 last

If you want to know more about the file types that have their iconic ASCII characters that can be assigned to a JavaScript variable, look at my subsequent article.

There are also many more detailed examples of using XSS and image files to bypass graphics processing library filtering. A good example of this is here.

XSS Posture--File upload XSS