Hi, hope you guys doing great! Here is a story about me finding a stored XSS using SVG files.
Approach
Found a target that has many features which included Discussion, Discovery, Mixtapes, Shorts, Activity and what not. I went ahead with looking at user dashboard.
Why would I look for xss at a user dashboard where only I am the visitor?
Nice Question! If I found XSS there then it would be considered a self XSS. which has no impact. It would be a challenge to convert self XSS into a valid one.
One parameter that could have been shared outside the dashboard was the profile picture url. So I need to find a way to upload malicious file instead of a jpeg.
After doing some research on hackerone , I found out that svg is considered as an image and it also allows javascript to execute.
Ok so we know now that we have to upload svg file instead of valid jpeg.
Bypassing Filter
Only valid file that could have been uploaded was either jpeg or png file.
How was the file being verified?
- They were creating an api POST request with only the image header being sent. If the header is valid then there was another POST request that was uploading the actual file. No validation on this second POST request.
- Here we can just send a valid png and in the second request we can replace the png contents with the svg payload.
After successfully bypassing checks and uploading the image, there was no alert box waiting for me to close it 🙁. Later I found out that they were using ImageMagick to compress the image size.
https://media.redacted.com/img/?size=medium Just had to remove the size parameter. which loaded the original svg image.
How is this impactful?
Instead of calling alert we can write XHR request that sends the cookie data to our server. Because it has very critical ACCESS_TOKEN we could possibly take over someones account. Just send the user the link and wait for them to click.
Making it a successful one click exploit!