File Upload Leads to Stored XSS

A while ago I have written a post on “Unrestricted File Upload” by exploiting that bug I was able to upload any extension file, even blacklisted to the server.

After spending some time, I decided to test for Cross-Site Scripting(XSS) using that file upload. So while I was uploading files to the server, I intercepted that request with Burp and changed that filename to XSS payload but I failed.

After some time, I uploaded a file to the server and it returned the ‘XML error page’ so at that point I thought the backend server will run XML, so I opened my text editor and wrote XML code to run JS on the server.

Payload: <?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>

And I save it as “.jpg”. I uploaded this to the website and as soon as I click on the uploaded image XSS popup. This was stored XSS. So anyone who clicks on that uploaded JPG file will able to trigger this XSS.

I spend some more time on this program trying to find RCE using that file upload feature but I was not successful at it. So after some time, I reported this stored XSS to the company and they provided a bounty for this.

Thank you for reading this post.