5

I just wanted to know if its possible... If i have an image i.e abc.jpeg and i rename it to an XSS vector such as <img src=x onerror=alert(1)>.jpeg will it successfully produce the XSS or is there actually another way to do this...

CBHacking
  • 40,303
  • 3
  • 74
  • 98
sheppard
  • 59
  • 4

1 Answers1

8

Could there exist some site that is vulnerable in this way? Sure, obviously. If the server takes the user-supplied file name and tries to emit it, unescaped, into the document, you'll get XSS. Same as any other user-supplied data.

Is the particular site you're looking at, or indeed any site on the whole Internet right now, vulnerable? We have no way to know the former, and I at least don't know the latter.

Mind you, there's a ton of ways to attack file uploads. Upload an HTML file containing malicious javascript and then request it from the server for XSS. Use path traversal to overwrite other files, which can overwrite user data, trash the server, or potentially get you code execution on the server. Use spaces and shell metacharacters to try and get command injection (code execution). Upload a server-side code file (PHP, ASPX, JSP, whatever the server uses) and navigate to the page to see if you can make the server execute your code. Upload a zip bomb and try to denial-of-service the server. Upload a really big file and see if the server tries to hold it all in memory. There are so many options! It depends on what kinds of files the server expects, how it enforces that (content type? file extension? magic number?), what sanitization it applies, what the server does with the files, whether the user can request them back again, and what happens when the user requests them. Just like literally every other kind of input.

CBHacking
  • 40,303
  • 3
  • 74
  • 98