A file upload is a great opportunity to XSS an application. User restricted area with an uploaded profile picture is everywhere, providing more chances to find a developer’s mistake. If it happens to be a self XSS, just take a look at the previous post.

Basically we have the following entry points for an attack.

1) Filename

The filename itself may be being reflected in the page so it’s just a matter of naming the file with a XSS.

#hack2learn
Although not intended, it’s possible to practice this XSS live at W3Schools.

2) Metadata

Using the exiftool it’s possible to alter EXIF metadata which may lead to a reflection somewhere:

$ exiftool -FIELD=XSS FILE

Example:
$ exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ brute.jpeg

3) Content

If the application allows the upload of a SVG file extension (which is also an image type), a file with the following content can be used to trigger a XSS:

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

A PoC (Proof of Concept) is available live at brutelogic.com.br/poc.svg.

4) Source

It’s easy to build a GIF image to carry a javascript payload for use as a source of a script. This is useful to bypass the CSP (Content Security Policy) protection “script-src ‘self’ ” (which doesn’t allow <script>alert(1)</script>, for example) if we are able to successfully inject in the same domain, as shown below.

To create such an image just use this as content and name it with .gif extension:

GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

The signature of a GIF file, GIF89a, is used as a javascript variable assigned to the alert function. Between them however, there’s a commented XSS vector just in case the image can be retrieved as the text/HTML MIME type, thus allowing payload execution by just requesting the file.

As we can also see below, the file UNIX-like command along with the PHP functions exif_imagetype() and getimagesize() recognize it as a GIF file. So if an application is using just these to validate the image, the file will be uploaded (but may be sanitized later).

For more file types that can have its signature as ASCII characters used for a javascript variable assignment, check this.

There are more elaborated examples of XSS using image files, usually bypassing filters like the GD library ones. A good example of that is here.

File Upload XSS的更多相关文章

  1. jQuery File Upload 单页面多实例的实现

    jQuery File Upload 的 GitHub 地址:https://github.com/blueimp/jQuery-File-Upload 插件描述:jQuery File Upload ...

  2. jQuery File Upload done函数没有返回

    最近在使用jQuery File Upload 上传图片时发现一个问题,发现done函数没有callback,经过一番折腾,找到问题原因,是由于dataType: ‘json’造成的,改为autoUp ...

  3. kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

    kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

  4. 【转发】Html5 File Upload with Progress

    Html5 File Upload with Progress               Posted by Shiv Kumar on 25th September, 2010Senior Sof ...

  5. 用jQuery File Upload做的上传控件demo,支持同页面多个上传按钮

    需求 有这么一个需求,一个form有多个文件要上传,但又不是传统的图片批量上传那种,是类似下图这种需求,一开始是用的swfupload做的上传,但是问题是如果有多个按钮的话,就要写很多重复的代码,于为 ...

  6. jquery file upload 文件上传插件

    1. jquery file upload 下载 jquery file upload Demo 地址:https://blueimp.github.io/jQuery-File-Upload/ jq ...

  7. jQuery File Upload跨域上传

    最近在做一个一手粮互联网项目,方案为前后端分离,自己负责前端框架,采用了Requirejs+avalonjs+jquery三个框架完成. 前后端通过跨域实现接口调用,中间也发现了不少问题,尤其是在富文 ...

  8. 《Play for Java》学习笔记(六)文件上传file upload

    一. Play中标准方法 使用表单form和multipart/form-data的content-type类型. 1.Form @form(action = routes.Application.u ...

  9. [转]Maintain File Upload Control on Postbacks

    本文转自:http://www.ironspeed.com/articles/Maintain%20File%20Upload%20Control/Article.aspx Introduction ...

随机推荐

  1. 【Python 21】52周存钱挑战1.0

    1.案例描述 按照52周存钱法,存钱人必须在一年52周内,每周递存10元.例如,第一周存10元,第二周存20元,第三周存30元,直到第52周存520元. 记录52周后能存多少钱?即10+20+30+. ...

  2. 错误ERROR datanode.DataNode (DataXceiver.java:run(278)) - hadoop07:50010DataXceiver error processing unknown operation src:127.0.0.136479 dst:127.0.0.150010

    原因: Ambari 每分钟会向datanode发送"ping"连接一下去确保datanode是正常工作的.否则它会触发alert.但是datanode并没有处理空内容的逻辑,所以 ...

  3. 使用time+dd测试硬盘读写速度

    命令:time dd if=/dev/zero bs=1M count=2048 of=direct_2G   此命令为在当前目录下新建一个2G的文件 Demo如下: 写速度: time dd if= ...

  4. HTML&CSS

    行内元素 <a>.<span>.<br>.<i>.<em>.<strong>.<label>.<q>.& ...

  5. solr 7.7 搭建和搜索

    最近做了个solr搜索的demo, 用的是solr7.7,之前网上好多文章搭建solr都是5.5+tomcat.. 自己摆弄了下,发现solr7.7和5.5 的部分文件夹有些改动,没有深究原理也就没有 ...

  6. 期末架构-Centos7

    00--linux运维架构演变过程 01--老男孩教育-CentOS6和7 01-笔记 安装系统 系统下载地址:http://mirrors.aliyun.com/centos/7/isos/x86_ ...

  7. 数据库訪问技术之JDBC

    版权声明:本文为博主原创文章,未经博主同意不得转载. https://blog.csdn.net/zhuojiajin/article/details/32150883     在了解JDBC之前呢, ...

  8. vue.js 跳转同一页面,传不同值,组件监听路由

    watch: { '$route' () { this.type = this.$route.params.type this.loadData() } },

  9. 炸弹人游戏开发系列(7):加入敌人,使用A*算法寻路

    前言 上文中我们实现了炸弹人与墙的碰撞检测,以及设置移动步长来解决发现的问题.本文会加入1个AI敌人,敌人使用A*算法追踪炸弹人. 本文目的 加入敌人,追踪炸弹人 本文主要内容 开发策略 加入敌人 实 ...

  10. Python——封装

    广义上面向对象的封装:代码的保护,面向对象的思想本身是一种保护,只让自己的对象能调用自己累的方法 狭义上的封装——面向对象的三大特性之一  属性.方法都隐藏起来,不让你看见 规则: 1.所有的私有,都 ...