File upload XSS – Vulnerabilities

A file upload point is an excellent opportunity to execute XSS applications. Many sites have user rights to upload personal data pictures of the upload point, you have a lot of opportunities to find the relevant loopholes. If it happens to be a self-XSS, you can look at this article.

First of all, basically we can find an entry similar to the following entry point, I think this is not difficult.

  • File name method

    The file name itself may be reflected on the page so that a file with XSS naming can play an attack.

  • Metadata
    The use of ExifTool this tool can change the EXIF metadata and then a certain chance to cause some reflection:
    $ exiftool -field = XSS FILE

     

    E.x

    $ exiftool -Artist=’“><img src=1 onerror=alert(document.domain)>’ brute.jpeg
  • SVG formatIf the application allows uploading files in SVG format (actually an image type), then files with the following content can be used to trigger XSS:
    <svgxmlns="http://www.w3.org/2000/svg"onload="alert(document.domain)"/>

     

  •  GIF image
    Create a GIF image carrying a JavaScript payload as the source of a script. It <script>alert(1)</script> is useful to circumvent the CSP (content security policy) to protect “script-src ‘self” (that is, it is not allowed to use the XSS mode of the example ), but only if we can successfully inject in the same domain.To create such an image you need this as content and name, and use the .gif extension:
    GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

     

    The GIF picture header – GIF89a, as the alert function of the variables assigned to the alert function. But between them, there is a marked XSS variable used to prevent the picture is restored to text / HTML MIME file type, so just send a request for this file payload can be executed.

    As we see below, the file class UNIX command and the exif_imagetype() and getimagesize() in the PHP function recognize it as a GIF file. So if an application only uses these methods to verify whether it is an image, then the file will be able to upload successfully (but may be killed after upload).