File Upload XSS

HACK 2 LEARN (HTTP://BRUTELOGIC.COM.
BR/BLOG/)
Master the art of Cross Site Scripting.
Menu
Home (http://brutelogic.com.br/blog/) > File Upload XSS
File Upload XSS

April 11, 2016 (http://brutelogic.com.br/blog/le-upload-xss/)
(http://brutelogic.com.br/blog/category/xss-building/)
Brute (http://brutelogic.com.br/blog/author/brute/) The Art of XSS Payload Building
A file upload is a great opportunity to XSS an application. User restricted area with an uploaded profile picture is everywhere,
providing more chances to find a developers mistake. If it happens to be a self XSS, just take a look at the previous post
(http://brutelogic.com.br/blog/leveraging-self-xss/).
Basically we have the following entry points for an attack.
1) Filename
The filename itself may be being reflected in the page so its just a matter of naming the file with a XSS.
(https://i1.wp.com/brutelogic.com.br/blog/wp-
content/uploads/2016/04/xss-gif-filename.gif)
#hack2learn
Although not intended, its possible to practice this XSS live at W3Schools (http://www.w3schools.com/jsref/tryit.asp?
filename=tryjsref_fileupload_value).
2) Metadata
Using the exiftool (http://www.sno.phy.queensu.ca/~phil/exiftool/)its possible to alter EXIF metadata which may lead to a reflection
somewhere:
$ exiftool -FIELD=XSS FILE
Example:
$ exiftool -Artist= ><img src=1 onerror=alert(document.domain)> brute.jpeg
content/uploads/2016/04/exif-brute-collage.jpg)
3) Content
If the application allows the upload of a SVG file extension (which is also an image type), a file with the following content can be used
to trigger a XSS:
<svgxmlns="http://www.w3.org/2000/svg"onload="alert(document.domain)"/>
A PoC (Proof of Concept) is available live at brutelogic.com.br/poc.svg (http://brutelogic.com.br/poc.svg).

4) Source
Its easy to build a GIF image to carry a javascript payload for use as a source of a script. This is useful to bypass the CSP (Content
Security Policy) protection script-src self (which doesnt allow <script>alert(1)</script>, for example) if we are able to successfully
inject in the same domain, as shown below.
content/uploads/2016/04/xss-gif-source.gif)
To create such an image just use this as content and name it with .gif extension:
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
The signature of a GIF file, GIF89a, is used as a javascript variable assigned to the alert function. Between them however, theres a
commented XSS vector just in case the image can be retrieved as the text/HTML MIME type, thus allowing payload execution by just
requesting the file.
As we can also see below, the file UNIX-like command along with the PHP functions exif_imagetype() and getimagesize() recognize it
as a GIF file. So if an application is using just these to validate the image, the file will be uploaded (but may be sanitized later).
Translate
content/uploads/2016/04/xss-gif.png)
For more file types that can have its signature as ASCII characters used for a javascript variable assignment, check this
(https://en.wikipedia.org/wiki/List_of_file_signatures).
There are more elaborated examples of XSS using image files, usually bypassing filters like the GD library ones. A good example of that
is here (https://github.com/d0lph1n98/Defeating-PHP-GD-imagecreatefromgif).
#hack2learn
Free Skill Certi cation
One free cyber security skill certi cation

at Cybrary, code FREESCT1
(http://www.specificfeeds.com/widgets/emailSubscribeEncFeed/Y3RRTFk2Uld0MTBqbmpQT3VNeVNWeE5FWkJ3ak5ITEJCNTl4NVdSYXBzb1M
Share this:
(http://brutelogic.com.br/blog/le-upload-xss/?share=twitter&nb=1)
(http://brutelogic.com.br/blog/le-upload-xss/?share=facebook&nb=1)
22
(http://brutelogic.com.br/blog/le-upload-xss/?share=google-plus-1&nb=1)
Related
(http://brutelogic.com.br/blog/xss-andrce/)
(http://brutelogic.com.br/blog/corsenabled-xss/)
(http://brutelogic.com.br/blog/crossorigin-scripting/)
XSS and RCE (http://brutelogic.com.br/blog/xss-and-rce/)

In "The Art of XSS Payload Building"
CORS Enabled XSS (http://brutelogic.com.br/blog/corsenabled-xss/)

Cross-Origin Scripting (http://brutelogic.com.br/blog/crossorigin-scripting/)

Leveraging Self-XSS (http://brutelogic.com.br/blog/leveraging-self-xss/)
Chrome XSS Bypass (http://brutelogic.com.br/blog/chrome-xss-bypass/)
25 thoughts on File Upload XSS

Mehran
Translate
April 11, 2016 at 03:54 (http://brutelogic.com.br/blog/le-upload-xss/#comment-167)
Nice info , Thanks but i got error on exiftool

bash: syntax error near unexpected token `<'
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)
Brute
Its an issue with the quotes. Type them manually if you are copying and pasting, encapsulating double with single quotes. If you are
on a different system try to escape < also, with \ (backslash).
Derp
Awesome article! Would it be possible to provide files used to create the source scenario (test.php and xss.gif)? Thanks!
Brute
Thanks. The test.php file is the same as the online version at http://brutelogic.com.br/webgun/test.php?p=reflection
(http://brutelogic.com.br/webgun/test.php?p=reflection) with the simple < ?php echo $_GET['p'];?> responsible for the reflected
part. The xss.gif file has the content given in the post (the GIF89a payload).
XSS | (http://www.evil0x.com/posts/20269.html)
[] *brutelogicFBxiaixFreeBufFreeBuf.COM []
| (http://www.lisiyi.cn/index.php/2016/04/16/js/)
[] *brutelogicFBxiaixFreeBufFreeBuf.COM []
Bypassing Chromes XSS Auditor Part 2 asdizzle's blog (https://blog.asdizzle.com/index.php/2016/04/17/bypassing-chromes-xss-auditor-part2/)

[] info about that here, here and here. Even imgur would accept such a file (even though it cant be displayed). []
Noch
May 16, 2016 at 14:37 (http://brutelogic.com.br/blog/le-upload-xss/#comment-286)
Id think W3Schools would have fixed and offered you a reward for finding that unintended feature for them
Translate
Brute
I dont think so: https://www.openbugbounty.org/search/?search=w3schools&type=host

(https://www.openbugbounty.org/search/?search=w3schools&type=host)
Kristen (http://www.bing.co.uk)
Greetings from Los angeles! Im bored at work

so I decided to check out your blog on my iphone during lunch break.
I love the knowledge you present here and cant wait to take a
look when I get home. Im amazed at how fast your blog loaded on my cell phone ..
Im not even using WIFI, just 3G .. Anyhow, amazing blog!
Jona (http://www.bing.ru)
bookmarked!!, I like your web site!
Paul
June 1, 2016 at 11:19 (http://brutelogic.com.br/blog/le-upload-xss/#comment-367)
Is there any way you know to make this work when the image is displayed as background in a CSS rule? I couldnt get it right in this
context, and I couldnt find any change to make these attacks work.
Thank you for this great article anyway!
Brute
Thanks. Unfortunately this is not possible, except for old IE versions.

Tejas
Hi Brute,
Very first thing I am glad to read your blogs, Youre awesome.
I have one case where I am unable to convert [File uploading xss only] a self xss to stored xss. Ive tried almost all possibilities, is there
any other stuff to be try..?!
Thanks
Brute
Thanks. Basically you need a way to make someone log into your account to get XSSed, after logging out of his/her account if
him/her was already authenticated. You can use a simple HTML form to do it, hosted anywhere.
Translate
Tejas
Yes Right. But this wont work it out for me. Can I share the scenario in PM or somewhere else..? Thx
Tejas
This will be my first report if get success but hesitating I am right or wrong. Thx for help in advance.
Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-uploadxss%2F)
Brute
Sure, call me on Twitter.

Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-uploadxss%2F)
Hameed Mahmoud (http://@fasthm00)

Hi Man , Big thanks for your efforts

I would like to ask about the span tag , in some site while Im testing for XSS , i watch my payload were injected and see it in span tag
payload
,with no interaction or loaded is there a trick in that ?
thanks alot again
Brute
Thanks for your interest in my work. I would need a concrete example of what you are talking about but a simple use of an event
handler may be enough to trigger inside it.
Hameed Mahmoud (http://@fasthm00)

All right i will check it , Kind Regard

Murthy sagi (http://google.com)

what is the best mitigation for SVG file ?

Brute
Forbid it.
Translate
abhishek
July 19, 2016 at 13:20 (http://brutelogic.com.br/blog/le-upload-xss/#comment-666)
awesome explanation, keep up the good work buddy.

Kimo
August 24, 2016 at 10:27 (http://brutelogic.com.br/blog/le-upload-xss/#comment-983)
Nice
I couldnt change file name, even tried the above method that you have mentioned
Please advice
Leave a Reply
You must be logged in (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Ffileupload-xss%2F) to post a comment.
SelectLanguage
(https://www.netsparker.com/netsparker-web-application-security-scanner/hack-website-before-hackers/?
utm_source=brutelogic.com.br&utm_medium=banner&utm_content=hack+b4&utm_campaign=ns+advert)
FEATURED POSTS
AntiviruXSS White Paper (http://brutelogic.com.br/blog/antiviruxss-paper/)
In the following paper,@strukt93and me describe how we were able to find XSS flaws in 8 []
Translate
Translate
The Genesis of an XSS Worm Part II (http://brutelogic.com.br/blog/genesis-xss-worm-part-ii/)

If you missed, part I of this series ishere. In order to understand our XSS worm in []
Translate
Bypassing Javascript Overrides (http://brutelogic.com.br/blog/bypassing-javascript-overrides/)

Some time ago, a curious mitigation to XSS was presented here. By hijacking and []
(https://leanpub.com/web-hacking-101)
FOLLOW ME
Tweetsby@brutelogic
Translate
Brute
@brutelogic
ReflectedinWateringHolebrutelogic.com.br/blog/reflected#XSS#review2learn
ReflectedinWateringHoleHack2Learn
Crosssitescriptingbecomesmuchmoredangerouswhenusedwithan
brutelogic.com.br
3h
Embed
BE NOTIFIED
Name
Email *
Subscribe
ViewonTwitter
ALL POSTS
XSS Challenge I (http://brutelogic.com.br/blog/xss-challenge-i/)
Calling Remote Script With Event Handlers (http://brutelogic.com.br/blog/calling-remote-script-with-event-handlers/)
Four Horsemen of the Web Apocalypse (http://brutelogic.com.br/blog/four-horsemen-web-apocalypse/)
The Easiest Way to Bypass XSS Mitigations (http://brutelogic.com.br/blog/the-easiest-way-to-bypass-xss-mitigations/)
XSS Authority Abuse (http://brutelogic.com.br/blog/xss-authority-abuse/)
Reflected in Watering Hole (http://brutelogic.com.br/blog/reflected-watering-hole/)
Bypassing Javascript Overrides (http://brutelogic.com.br/blog/bypassing-javascript-overrides/)
The Genesis of an XSS Worm Part III (http://brutelogic.com.br/blog/genesis-xss-worm-part-iii/)
The Genesis of an XSS Worm Part II (http://brutelogic.com.br/blog/genesis-xss-worm-part-ii/)
The Genesis of an XSS Worm Part I (http://brutelogic.com.br/blog/genesis-xss-worm-part-i/)
The Shortest Reflected XSS Attack Possible (http://brutelogic.com.br/blog/shortest-reflected-xss-possible/)
Looking for XSS in PHP Source Code (http://brutelogic.com.br/blog/looking-xss-php-source/)
AntiviruXSS White Paper (http://brutelogic.com.br/blog/antiviruxss-paper/)
Avoiding XSS Detection (http://brutelogic.com.br/blog/avoiding-xss-detection/)
Blind XSS Code (http://brutelogic.com.br/blog/blind-xss-code/)
XSS and RCE (http://brutelogic.com.br/blog/xss-and-rce/)
CORS Enabled XSS (http://brutelogic.com.br/blog/cors-enabled-xss/)
Chrome XSS Bypass (http://brutelogic.com.br/blog/chrome-xss-bypass/)
File Upload XSS (http://brutelogic.com.br/blog/file-upload-xss/)
Leveraging Self-XSS (http://brutelogic.com.br/blog/leveraging-self-xss/)
XSS in Mobile Devices (http://brutelogic.com.br/blog/xss-in-mobile-devices/)
Cross-Origin Scripting (http://brutelogic.com.br/blog/cross-origin-scripting/)
Transcending Context-Based Filters (http://brutelogic.com.br/blog/transcending-context-based-filters/)
XSS Without Event Handlers (http://brutelogic.com.br/blog/xss-without-event-handlers/)
Multi Reflection XSS (http://brutelogic.com.br/blog/multi-reflection-xss/)
Using XSS to Control a Browser (http://brutelogic.com.br/blog/using-xss-to-control-a-browser/)
Source-Breaking Injections (http://brutelogic.com.br/blog/source-breaking-injections/)
Location Based Payloads Part IV (http://brutelogic.com.br/blog/location-based-payloads-part-iv/)
Location Based Payloads Part III (http://brutelogic.com.br/blog/location-based-payloads-part-iii/)
Location Based Payloads Part II (http://brutelogic.com.br/blog/location-based-payloads-part-ii/)
Location Based Payloads Part I (http://brutelogic.com.br/blog/location-based-payloads-part-i/)
Probing to Find XSS (http://brutelogic.com.br/blog/probing-to-find-xss/)
Filter Bypass Procedure (http://brutelogic.com.br/blog/filter-bypass-procedure/)
Existing Code Reuse (http://brutelogic.com.br/blog/existing-code-reuse/)
Agnostic Event Handlers (http://brutelogic.com.br/blog/agnostic-event-handlers/)
XSS Payload Scheme (http://brutelogic.com.br/blog/xss-payload-scheme/)
SiteCheckWebsiteScanner
Translate
Scanyoursiteformalware&blacklists.
EnterURL
Scan
PoweredbySucuriSiteCheck
(http://sitecheck.sucuri.net/)
(https://sucuri.net)
Sponsored by Netsparker Web Application Security Scanner (https://www.netsparker.com/?

utm_source=brutelogic.com.br&utm_medium=referral&utm_content=brand+name&utm_campaign=generic+advert)
Proudly powered by WordPress (http://wordpress.org/)
Theme: Big Brother by WordPress.com (http://automattic.com).

File Upload XSS - Hack 2 Learn

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

File Upload XSS - Hack 2 Learn

Caricato da

Copyright:

Formati disponibili

HACK 2 LEARN (HTTP://BRUTELOGIC.COM.

Brute (http://brutelogic.com.br/blog/author/brute/) The Art of XSS Payload Building

$ exiftool -FIELD=XSS FILE

A PoC (Proof of Concept) is available live at brutelogic.com.br/poc.svg (http://brutelogic.com.br/poc.svg).

Free Skill Certi cation

One free cyber security skill certi cation

XSS and RCE (http://brutelogic.com.br/blog/xss-and-rce/)

CORS Enabled XSS (http://brutelogic.com.br/blog/corsenabled-xss/)

Cross-Origin Scripting (http://brutelogic.com.br/blog/crossorigin-scripting/)

Leveraging Self-XSS (http://brutelogic.com.br/blog/leveraging-self-xss/)

Chrome XSS Bypass (http://brutelogic.com.br/blog/chrome-xss-bypass/)

25 thoughts on File Upload XSS

April 11, 2016 at 03:54 (http://brutelogic.com.br/blog/le-upload-xss/#comment-167)

Nice info , Thanks but i got error on exiftool

April 11, 2016 at 20:58 (http://brutelogic.com.br/blog/le-upload-xss/#comment-172)

Bypassing Chromes XSS Auditor Part 2 asdizzle's blog (https://blog.asdizzle.com/index.php/2016/04/17/bypassing-chromes-xss-auditor-part2/)

I dont think so: https://www.openbugbounty.org/search/?search=w3schools&type=host

Greetings from Los angeles! Im bored at work

bookmarked!!, I like your web site!

Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)

Thanks. Unfortunately this is not possible, except for old IE versions.

Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)

Sure, call me on Twitter.

Hameed Mahmoud (http://@fasthm00)

Hi Man , Big thanks for your efforts

Hameed Mahmoud (http://@fasthm00)

All right i will check it , Kind Regard

Murthy sagi (http://google.com)

what is the best mitigation for SVG file ?

Log in to Reply (http://brutelogic.com.br/blog/wp-login.php?redirect_to=http%3A%2F%2Fbrutelogic.com.br%2Fblog%2Fle-upload-xss%2F)

awesome explanation, keep up the good work buddy.

The Genesis of an XSS Worm Part II (http://brutelogic.com.br/blog/genesis-xss-worm-part-ii/)

Bypassing Javascript Overrides (http://brutelogic.com.br/blog/bypassing-javascript-overrides/)

Sponsored by Netsparker Web Application Security Scanner (https://www.netsparker.com/?

Potrebbero piacerti anche