How I got stored XSS using file upload

Gujjuboy10x00
Apr 17, 2018 · 2 min read

Hi Everyone,

I always believed that sharing is caring, and i have been learning from multiple security researchers in the bug bounty field ,Today i am going to share simple method of getting xss in file upload. few days back i got invitation from hackerone private program. it was very old program (100+ report resolved). still i tried to get something interesting.

After looking inside that functionality i can see that there is option to upload data manually as well as using file upload (Only CSV).

there was a strict restriction of file upload for extension (.csv only). there was 4 option firstname , lastname , company , mobile number. Simply i tried to bypass using Burp by changing content-type to text/html , but no success in xss as there was something blocking at server level.

Image for post
Image for post
time to dig more

Later I tried to put simple payload in CSV file , like <script>alert(1)</script> in first 3 field , but something was blocking at server to not allow <script> tag. then i tried for many payload nothing was working.

Finally i tried with </Textarea/</Noscript/</Pre/</Xmp><Svg /Onload=confirm(document.domain)>” and got stored xss.

Image for post
Image for post
Stored xss

and my expression was like (Mil gaya , mil gaya …):

Image for post
Image for post

Thanks for reading my blog , hope you like this blog.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store