A file upload is a great opportunity to XSS an application. User restricted area with an uploaded profile picture is everywhere, providing more chances to find a developer’s mistake. If it happens to be a self XSS, just take a look at the previous post.

Basically we have the following entry points for an attack.

1) Filename

The filename itself may be being reflected in the page so it’s just a matter of naming the file with a XSS.

#hack2learn
Although not intended, it’s possible to practice this XSS live at W3Schools.

2) Metadata

Using the exiftool it’s possible to alter EXIF metadata which may lead to a reflection somewhere:

$ exiftool -FIELD=XSS FILE

Example:
$ exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ brute.jpeg

3) Content

If the application allows the upload of a SVG file extension (which is also an image type), a file with the following content can be used to trigger a XSS:

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

A PoC (Proof of Concept) is available live at brutelogic.com.br/poc.svg.

4) Source

It’s easy to build a GIF image to carry a javascript payload for use as a source of a script. This is useful to bypass the CSP (Content Security Policy) protection “script-src ‘self’ ” (which doesn’t allow <script>alert(1)</script>, for example) if we are able to successfully inject in the same domain, as shown below.

To create such an image just use this as content and name it with .gif extension:

GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

The signature of a GIF file, GIF89a, is used as a javascript variable assigned to the alert function. Between them however, there’s a commented XSS vector just in case the image can be retrieved as the text/HTML MIME type, thus allowing payload execution by just requesting the file.

As we can also see below, the file UNIX-like command along with the PHP functions exif_imagetype() and getimagesize() recognize it as a GIF file. So if an application is using just these to validate the image, the file will be uploaded (but may be sanitized later).

For more file types that can have its signature as ASCII characters used for a javascript variable assignment, check this.

There are more elaborated examples of XSS using image files, usually bypassing filters like the GD library ones. A good example of that is here.

File Upload XSS的更多相关文章

  1. jQuery File Upload 单页面多实例的实现

    jQuery File Upload 的 GitHub 地址:https://github.com/blueimp/jQuery-File-Upload 插件描述:jQuery File Upload ...

  2. jQuery File Upload done函数没有返回

    最近在使用jQuery File Upload 上传图片时发现一个问题,发现done函数没有callback,经过一番折腾,找到问题原因,是由于dataType: ‘json’造成的,改为autoUp ...

  3. kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

    kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

  4. 【转发】Html5 File Upload with Progress

    Html5 File Upload with Progress               Posted by Shiv Kumar on 25th September, 2010Senior Sof ...

  5. 用jQuery File Upload做的上传控件demo,支持同页面多个上传按钮

    需求 有这么一个需求,一个form有多个文件要上传,但又不是传统的图片批量上传那种,是类似下图这种需求,一开始是用的swfupload做的上传,但是问题是如果有多个按钮的话,就要写很多重复的代码,于为 ...

  6. jquery file upload 文件上传插件

    1. jquery file upload 下载 jquery file upload Demo 地址:https://blueimp.github.io/jQuery-File-Upload/ jq ...

  7. jQuery File Upload跨域上传

    最近在做一个一手粮互联网项目,方案为前后端分离,自己负责前端框架,采用了Requirejs+avalonjs+jquery三个框架完成. 前后端通过跨域实现接口调用,中间也发现了不少问题,尤其是在富文 ...

  8. 《Play for Java》学习笔记(六)文件上传file upload

    一. Play中标准方法 使用表单form和multipart/form-data的content-type类型. 1.Form @form(action = routes.Application.u ...

  9. [转]Maintain File Upload Control on Postbacks

    本文转自:http://www.ironspeed.com/articles/Maintain%20File%20Upload%20Control/Article.aspx Introduction ...

随机推荐

  1. Django REST framework基础:解析器和渲染器

    解析器 解析器的作用 解析器的作用就是服务端接收客户端传过来的数据,把数据解析成自己可以处理的数据.本质就是对请求体中的数据进行解析. 在了解解析器之前,我们要先知道Accept以及ContentTy ...

  2. idea maven无法热布署exploded

    (原) 有时,你的idea可能会偶尔出现点小问题,特别是在用maven的时候,以前可以用的热布署发现没有了.就像这样: 少了一个选项,并且下面会有一个提示,no artifacts configure ...

  3. 使用serialize时多数据传递

    class CartList(APIView): #定义编辑方法 def post(self,request): username = request.POST.get('username') # p ...

  4. ssh远程 和 上传/下载工具

    常用的ssh远程工具有: putty  : 软件体积小,开源免费. xshell  : 功能强大,亦有免费试用版本 SecureCRT  : 功能强大 ftp  : 该软件用于上传下载文件 通过ssh ...

  5. git revert用法以及与git reset的区别

    git revert用法 git revert 撤销 某次操作,此次操作之前和之后的commit和history都会保留,并且把这次撤销 作为一次最新的提交 * git revert HEAD     ...

  6. jquery实现点击控制div的显示和隐藏

    我们使用点击显示.点击隐藏的时候,一般有两种可选方案 .示例 html <div class="index"> <h1> 首页 </h1> &l ...

  7. P1196 [NOI2002]银河英雄传说(带权并查集)

    这个题的题目背景很是宏大,什么宇宙战舰的都出来了.但细细一看,我们就会发现,这是带权并查集的题目,首先我们还是像之前在并查集中的操作一样,但在这里我们还是应该开数组来维护所要加的权值,两个战舰是否在同 ...

  8. Eclipse 设置背景色

    window -> preferences ->  General -> Editors -> Test Editors -> Background color 勾掉Sy ...

  9. Object Detection with 10 lines of code - Image AI

    To perform object detection using ImageAI, all you need to do is Install Python on your computer sys ...

  10. Azure Machine Learning

    About me In my spare time, I love learning new technologies and going to hackathons. Our hackathon p ...