This is my 34th blog on web application security penetration testing. In this blog I will explain about XSS Through File Upload where “Attribute-Value” of the uploaded images are vulnerable to XSS.
In my last blog, I have explained about XSS Through File Upload where “Filename” itself was vulnerable to reflected XSS. Hope everyone liked it. If you haven’t read it yet please follow along.
Mohammad Mohsin - Medium
Read writing from Mohammad Mohsin on Medium. Works @t @pple. Ethical Hacker, Vulnerability Assessment and Penetration…
Finding the vulnerabilities is most probably depend on your observation like, How data is getting stored to the backend and how it is getting displayed on the web page.
I have came across one of the scenario where application has some web forms like,
AddProduct.aspx ( To store Product Details to the database)
ViewProduct.aspx (To display Products on the web Page)
To maintain confidentiality, I have locally hosted website to demonstrate this issue. I have created two web forms as mentioned above.
Webform to store product details in the database:
Webform to Display product details on the Webpage:
Isn’t it cool!
The image on the product display screen captured my attention. I have run the developer tools by pressing f12 on windows machine and click on the image to see it’s attribute values.
As shown in the above image, Image has an attribute called “Title” and it’s value was “Product Description” which is stored by user’s earlier by visiting to AddProduct.aspx web page.
I have immediately navigated to AddProduct.aspx web page and enter malicious XSS Payload in the Product Description as Shown in below screens.
After that I have visited ViewProduct.aspx web page which basically displays all the records from the backend to Front-end and our XSS payload is rendered into “Title” property of the image dell.jpg
Images are often vulnerable to RCE or XSS all you need is in-depth observation to find loophole.
Please do like and comment if you have any doubt or difficulties in the understanding this POC.