XSS Through File Upload [Attribute-Value]

Mohammad Mohsin
3 min readMay 24, 2022

--

XSS Through File Upload Attribute Value

Hi Folks!

This is my 34th blog on web application security penetration testing. In this blog I will explain about XSS Through File Upload where “Attribute-Value” of the uploaded images are vulnerable to XSS.

In my last blog, I have explained about XSS Through File Upload where “Filename” itself was vulnerable to reflected XSS. Hope everyone liked it. If you haven’t read it yet please follow along.

Finding the vulnerabilities is most probably depend on your observation like, How data is getting stored to the backend and how it is getting displayed on the web page.

I have came across one of the scenario where application has some web forms like,

AddProduct.aspx ( To store Product Details to the database)

ViewProduct.aspx (To display Products on the web Page)

To maintain confidentiality, I have locally hosted website to demonstrate this issue. I have created two web forms as mentioned above.

Webform to store product details in the database:

Add Product Details
Database Table holding product details

Webform to Display product details on the Webpage:

View Product Details

Isn’t it cool!

The image on the product display screen captured my attention. I have run the developer tools by pressing f12 on windows machine and click on the image to see it’s attribute values.

Image has “Title” Attribute which was storing “product description”

As shown in the above image, Image has an attribute called “Title” and it’s value was “Product Description” which is stored by user’s earlier by visiting to AddProduct.aspx web page.

I have immediately navigated to AddProduct.aspx web page and enter malicious XSS Payload in the Product Description as Shown in below screens.

Stored Malicious XSS Payloads as an attribute value in product description web field
Record 4 added recently with malicious payload

After that I have visited ViewProduct.aspx web page which basically displays all the records from the backend to Front-end and our XSS payload is rendered into “Title” property of the image dell.jpg

XSS Payload Executed Successfully
View from Developer tools by pressing f12

Images are often vulnerable to RCE or XSS all you need is in-depth observation to find loophole.

Please do like and comment if you have any doubt or difficulties in the understanding this POC.

Thanks!

--

--

Mohammad Mohsin
Mohammad Mohsin

Written by Mohammad Mohsin

Director - OLF Infotech Pvt. Ltd. Ethical Hacker, Vulnerability Assessment and Penetration Tester, Bug Hunter, Security Researcher, Optimistic, Philanthropist.

Responses (2)