Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
BR/BLOG/)
Master the art of Cross Site Scripting.
Menu
Home (http://brutelogic.com.br/blog/) > File Upload XSS
A file upload is a great opportunity to XSS an application. User restricted area with an uploaded profile picture is everywhere,
providing more chances to find a developers mistake. If it happens to be a self XSS, just take a look at the previous post
(http://brutelogic.com.br/blog/leveraging-self-xss/).
Basically we have the following entry points for an attack.
1) Filename
The filename itself may be being reflected in the page so its just a matter of naming the file with a XSS.
(https://i1.wp.com/brutelogic.com.br/blog/wp-
content/uploads/2016/04/xss-gif-filename.gif)
#hack2learn
Although not intended, its possible to practice this XSS live at W3Schools (http://www.w3schools.com/jsref/tryit.asp?
filename=tryjsref_fileupload_value).
2) Metadata
Using the exiftool (http://www.sno.phy.queensu.ca/~phil/exiftool/)its possible to alter EXIF metadata which may lead to a reflection
somewhere:
Example:
$ exiftool -Artist= ><img src=1 onerror=alert(document.domain)> brute.jpeg
(https://i2.wp.com/brutelogic.com.br/blog/wp-
content/uploads/2016/04/exif-brute-collage.jpg)
3) Content
If the application allows the upload of a SVG file extension (which is also an image type), a file with the following content can be used
to trigger a XSS:
<svgxmlns="http://www.w3.org/2000/svg"onload="alert(document.domain)"/>
(https://i2.wp.com/brutelogic.com.br/blog/wp-
content/uploads/2016/04/xss-gif-source.gif)
To create such an image just use this as content and name it with .gif extension:
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
The signature of a GIF file, GIF89a, is used as a javascript variable assigned to the alert function. Between them however, theres a
commented XSS vector just in case the image can be retrieved as the text/HTML MIME type, thus allowing payload execution by just
requesting the file.
As we can also see below, the file UNIX-like command along with the PHP functions exif_imagetype() and getimagesize() recognize it
as a GIF file. So if an application is using just these to validate the image, the file will be uploaded (but may be sanitized later).
Translate
(https://i2.wp.com/brutelogic.com.br/blog/wp-
content/uploads/2016/04/xss-gif.png)
For more file types that can have its signature as ASCII characters used for a javascript variable assignment, check this
(https://en.wikipedia.org/wiki/List_of_file_signatures).
There are more elaborated examples of XSS using image files, usually bypassing filters like the GD library ones. A good example of that
is here (https://github.com/d0lph1n98/Defeating-PHP-GD-imagecreatefromgif).
#hack2learn
(http://www.specificfeeds.com/widgets/emailSubscribeEncFeed/Y3RRTFk2Uld0MTBqbmpQT3VNeVNWeE5FWkJ3ak5ITEJCNTl4NVdSYXBzb1M
Share this:
(http://brutelogic.com.br/blog/le-upload-xss/?share=twitter&nb=1)
(http://brutelogic.com.br/blog/le-upload-xss/?share=facebook&nb=1)
22
(http://brutelogic.com.br/blog/le-upload-xss/?share=google-plus-1&nb=1)
Related
(http://brutelogic.com.br/blog/xss-andrce/)
(http://brutelogic.com.br/blog/corsenabled-xss/)
(http://brutelogic.com.br/blog/crossorigin-scripting/)
Translate
Brute
April 11, 2016 at 11:31 (http://brutelogic.com.br/blog/le-upload-xss/#comment-170)
Its an issue with the quotes. Type them manually if you are copying and pasting, encapsulating double with single quotes. If you are
on a different system try to escape < also, with \ (backslash).
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
Derp
April 11, 2016 at 20:23 (http://brutelogic.com.br/blog/le-upload-xss/#comment-171)
Awesome article! Would it be possible to provide files used to create the source scenario (test.php and xss.gif)? Thanks!
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
Brute
April 11, 2016 at 20:58 (http://brutelogic.com.br/blog/le-upload-xss/#comment-172)
Thanks. The test.php file is the same as the online version at http://brutelogic.com.br/webgun/test.php?p=reflection
(http://brutelogic.com.br/webgun/test.php?p=reflection) with the simple < ?php echo $_GET['p'];?> responsible for the reflected
part. The xss.gif file has the content given in the post (the GIF89a payload).
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
XSS | (http://www.evil0x.com/posts/20269.html)
April 15, 2016 at 10:50 (http://brutelogic.com.br/blog/le-upload-xss/#comment-179)
[] *brutelogicFBxiaixFreeBufFreeBuf.COM []
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
| (http://www.lisiyi.cn/index.php/2016/04/16/js/)
April 16, 2016 at 02:35 (http://brutelogic.com.br/blog/le-upload-xss/#comment-180)
[] *brutelogicFBxiaixFreeBufFreeBuf.COM []
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
[] info about that here, here and here. Even imgur would accept such a file (even though it cant be displayed). []
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
Noch
May 16, 2016 at 14:37 (http://brutelogic.com.br/blog/le-upload-xss/#comment-286)
Id think W3Schools would have fixed and offered you a reward for finding that unintended feature for them
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
Translate
Brute
May 16, 2016 at 14:41 (http://brutelogic.com.br/blog/le-upload-xss/#comment-287)
Kristen (http://www.bing.co.uk)
May 29, 2016 at 13:10 (http://brutelogic.com.br/blog/le-upload-xss/#comment-352)
Jona (http://www.bing.ru)
May 30, 2016 at 03:11 (http://brutelogic.com.br/blog/le-upload-xss/#comment-356)
Paul
June 1, 2016 at 11:19 (http://brutelogic.com.br/blog/le-upload-xss/#comment-367)
Is there any way you know to make this work when the image is displayed as background in a CSS rule? I couldnt get it right in this
context, and I couldnt find any change to make these attacks work.
Thank you for this great article anyway!
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
Brute
June 1, 2016 at 11:34 (http://brutelogic.com.br/blog/le-upload-xss/#comment-368)
Tejas
June 2, 2016 at 19:00 (http://brutelogic.com.br/blog/le-upload-xss/#comment-378)
Hi Brute,
Very first thing I am glad to read your blogs, Youre awesome.
I have one case where I am unable to convert [File uploading xss only] a self xss to stored xss. Ive tried almost all possibilities, is there
any other stuff to be try..?!
Thanks
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
Brute
June 2, 2016 at 19:28 (http://brutelogic.com.br/blog/le-upload-xss/#comment-379)
Thanks. Basically you need a way to make someone log into your account to get XSSed, after logging out of his/her account if
him/her was already authenticated. You can use a simple HTML form to do it, hosted anywhere.
Translate
Tejas
June 3, 2016 at 04:21 (http://brutelogic.com.br/blog/le-upload-xss/#comment-380)
Yes Right. But this wont work it out for me. Can I share the scenario in PM or somewhere else..? Thx
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
Tejas
June 3, 2016 at 06:04 (http://brutelogic.com.br/blog/le-upload-xss/#comment-382)
This will be my first report if get success but hesitating I am right or wrong. Thx for help in advance.
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-uploadxss%2F)
Brute
June 3, 2016 at 12:08 (http://brutelogic.com.br/blog/le-upload-xss/#comment-383)
Brute
June 11, 2016 at 12:53 (http://brutelogic.com.br/blog/le-upload-xss/#comment-440)
Thanks for your interest in my work. I would need a concrete example of what you are talking about but a simple use of an event
handler may be enough to trigger inside it.
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
Brute
June 24, 2016 at 12:46 (http://brutelogic.com.br/blog/le-upload-xss/#comment-539)
Forbid it.
Translate
abhishek
July 19, 2016 at 13:20 (http://brutelogic.com.br/blog/le-upload-xss/#comment-666)
Kimo
August 24, 2016 at 10:27 (http://brutelogic.com.br/blog/le-upload-xss/#comment-983)
Nice
I couldnt change file name, even tried the above method that you have mentioned
Please advice
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
Leave a Reply
You must be logged in (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Ffileupload-xss%2F) to post a comment.
SelectLanguage
(https://www.netsparker.com/netsparker-web-application-security-scanner/hack-website-before-hackers/?
utm_source=brutelogic.com.br&utm_medium=banner&utm_content=hack+b4&utm_campaign=ns+advert)
FEATURED POSTS
AntiviruXSS White Paper (http://brutelogic.com.br/blog/antiviruxss-paper/)
In the following paper,@strukt93and me describe how we were able to find XSS flaws in 8 []
Translate
Translate
Translate
(https://leanpub.com/web-hacking-101)
FOLLOW ME
Tweetsby@brutelogic
Translate
Brute
@brutelogic
ReflectedinWateringHolebrutelogic.com.br/blog/reflected#XSS#review2learn
ReflectedinWateringHoleHack2Learn
Crosssitescriptingbecomesmuchmoredangerouswhenusedwithan
brutelogic.com.br
3h
Embed
BE NOTIFIED
Name
Email *
Subscribe
ViewonTwitter
ALL POSTS
XSS Challenge I (http://brutelogic.com.br/blog/xss-challenge-i/)
Calling Remote Script With Event Handlers (http://brutelogic.com.br/blog/calling-remote-script-with-event-handlers/)
Four Horsemen of the Web Apocalypse (http://brutelogic.com.br/blog/four-horsemen-web-apocalypse/)
The Easiest Way to Bypass XSS Mitigations (http://brutelogic.com.br/blog/the-easiest-way-to-bypass-xss-mitigations/)
XSS Authority Abuse (http://brutelogic.com.br/blog/xss-authority-abuse/)
Reflected in Watering Hole (http://brutelogic.com.br/blog/reflected-watering-hole/)
Bypassing Javascript Overrides (http://brutelogic.com.br/blog/bypassing-javascript-overrides/)
The Genesis of an XSS Worm Part III (http://brutelogic.com.br/blog/genesis-xss-worm-part-iii/)
The Genesis of an XSS Worm Part II (http://brutelogic.com.br/blog/genesis-xss-worm-part-ii/)
The Genesis of an XSS Worm Part I (http://brutelogic.com.br/blog/genesis-xss-worm-part-i/)
The Shortest Reflected XSS Attack Possible (http://brutelogic.com.br/blog/shortest-reflected-xss-possible/)
Looking for XSS in PHP Source Code (http://brutelogic.com.br/blog/looking-xss-php-source/)
AntiviruXSS White Paper (http://brutelogic.com.br/blog/antiviruxss-paper/)
Avoiding XSS Detection (http://brutelogic.com.br/blog/avoiding-xss-detection/)
Blind XSS Code (http://brutelogic.com.br/blog/blind-xss-code/)
XSS and RCE (http://brutelogic.com.br/blog/xss-and-rce/)
CORS Enabled XSS (http://brutelogic.com.br/blog/cors-enabled-xss/)
Chrome XSS Bypass (http://brutelogic.com.br/blog/chrome-xss-bypass/)
File Upload XSS (http://brutelogic.com.br/blog/file-upload-xss/)
Leveraging Self-XSS (http://brutelogic.com.br/blog/leveraging-self-xss/)
XSS in Mobile Devices (http://brutelogic.com.br/blog/xss-in-mobile-devices/)
Cross-Origin Scripting (http://brutelogic.com.br/blog/cross-origin-scripting/)
Transcending Context-Based Filters (http://brutelogic.com.br/blog/transcending-context-based-filters/)
XSS Without Event Handlers (http://brutelogic.com.br/blog/xss-without-event-handlers/)
Multi Reflection XSS (http://brutelogic.com.br/blog/multi-reflection-xss/)
Using XSS to Control a Browser (http://brutelogic.com.br/blog/using-xss-to-control-a-browser/)
Source-Breaking Injections (http://brutelogic.com.br/blog/source-breaking-injections/)
Location Based Payloads Part IV (http://brutelogic.com.br/blog/location-based-payloads-part-iv/)
Location Based Payloads Part III (http://brutelogic.com.br/blog/location-based-payloads-part-iii/)
Location Based Payloads Part II (http://brutelogic.com.br/blog/location-based-payloads-part-ii/)
Location Based Payloads Part I (http://brutelogic.com.br/blog/location-based-payloads-part-i/)
Probing to Find XSS (http://brutelogic.com.br/blog/probing-to-find-xss/)
Filter Bypass Procedure (http://brutelogic.com.br/blog/filter-bypass-procedure/)
Existing Code Reuse (http://brutelogic.com.br/blog/existing-code-reuse/)
Agnostic Event Handlers (http://brutelogic.com.br/blog/agnostic-event-handlers/)
XSS Payload Scheme (http://brutelogic.com.br/blog/xss-payload-scheme/)
SiteCheckWebsiteScanner
Translate
Scanyoursiteformalware&blacklists.
EnterURL
Scan
PoweredbySucuriSiteCheck
(http://sitecheck.sucuri.net/)
(https://sucuri.net)