How I got stored XSS using file upload

Hi Everyone,

I always believed that sharing is caring, and i have been learning from multiple security researchers in the bug bounty field ,Today i am going to share simple method of getting xss in file upload. few days back i got invitation from hackerone private program. it was very old program (100+ report resolved). still i tried to get something interesting.

After looking inside that functionality i can see that there is option to upload data manually as well as using file upload (Only CSV).

there was a strict restriction of file upload for extension (.csv only). there was 4 option firstname , lastname , company , mobile number. Simply i tried to bypass using Burp by changing content-type to text/html , but no success in xss as there was something blocking at server level.

time to dig more

Later I tried to put simple payload in CSV file , like <script>alert(1)</script> in first 3 field , but something was blocking at server to not allow <script> tag. then i tried for many payload nothing was working.

Finally i tried with </Textarea/</Noscript/</Pre/</Xmp><Svg /Onload=confirm(document.domain)>” and got stored xss.

Stored xss

and my expression was like (Mil gaya , mil gaya …):

Thanks for reading my blog , hope you like this blog.