Stored XSS Via File Upload [SVG File Content]

Mohammad Mohsin
3 min readMay 28, 2022

--

Stored XSS Via SVG File Upload

Hi Friends!

This is my 36th blog on web application security penetration testing. In this blog I will explain about Stored XSS Via SVG File Upload.

In my last blog, I have explained about Remote Code Execution by uploading ASP .NET Web Shell. Hope everyone liked it. If you haven’t read it yet please follow along.

Let me give you some Mental notes from previous (35th blog) which we have seen earlier to this blog series:

  1. We have hosted ASP.NET Website on Local IIS Server.
  2. Back-end running MS-SQL Server
  3. We have created one file upload control which uploads the file and store it into the Local IIS server directory named as ~/uploads

Let’s not waste more time and jump to the topic to demonstrate step-by-step POC:

  1. Navigate to File Upload Control as shown below:
File Upload Control

2. Create SVG File with .svg extension which below code written in it and named it as test.svg

Content of test.svg File

3. Browse the newly created test.svg file and click on Upload File button to upload it on web server.

File Uploaded on web server

4. Now navigate to web root directory inside the ~/Uploads folder to see file uploaded successfully or not? Notice our .svg file uploaded successfully to web server.

.svg file uploaded to the web server in uploads folder

5. Now browse it back to see it’s WebView, When you do that our XSS payload will get executed successfully.

XSS Payload Execution

This is how we can create malicious SVG file to execute XSS if it is allowed on web server to upload.

Hope everyone will like this simple steps POC. Please do like and follow and comment for more reads!

Thanks!

--

--

Mohammad Mohsin

Director - OLF Infotech Pvt. Ltd. Ethical Hacker, Vulnerability Assessment and Penetration Tester, Bug Hunter, Security Researcher, Optimistic, Philanthropist.