2

I encountered this type of vulnerability a couple of times but was not able to fully exploit it.

This vulnerability is a self-xss which is triggered from file names. E.g. If I were to upload a file named [xss-payload].png, it will be executed as javascript and the window will prompt 1. But it only goes as far as that.

[XSS-Payload] = Any XSS payload as file name will be executed when uploading the file. E.g. File Name: <img src=x onerror=alert(1)>.png

The file name stored in the server is randomly generated, therefore this isn't a stored xss.

Is there any way I could exploit this? The Javascript is executed when uploading the file only. I tried chaining with clickjacking, but the website doesn't allow iframe.

And from what I heard, CSRF is not possible since setting a 'pre-filled' file name is not possible when uploading a file.

Any idea where I should go with this? Can I chain this with other vulnerabilities?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Emanuel Beni
  • 133
  • 8
  • It might be helpful if you add more details and context to your question (by editing the question, not as a comment), i.e. what exactly you've tried as code, what you expected, what you got. At the moment you expect others to already know a lot about the specific problem you are trying to solve. – Steffen Ullrich Sep 07 '20 at 06:08
  • @SteffenUllrich, I noticed that my question got partially trimmed/filtered by the editor since I inputted an XSS payload. But there is the update, any xss payload written as the name of the file would execute when uploading the file. I believe this is clear enough since my question is if there is anything I can do when encountering such vulnerability (Self-XSS triggered when uploading a file, but saved on the server with different name). – Emanuel Beni Sep 07 '20 at 06:36
  • *"got partially trimmed/filtered by the editor "* - please use proper code formatting and don't simply paste code anywhere in the text. But just given some filename with XSS at an arbitrary upload will not work - the upload function actually has to be vulnerable. – Steffen Ullrich Sep 07 '20 at 06:42
  • @SteffenUllrich, Noted. I don't really get your what you mean by 'But just given some filename with XSS at an arbitrary upload will not work', mind clarifying more? My observation is that, the file name is being printed out when trying to upload a file (but not sanitized), therefore javascript is executed. Is this as far as it can go? Would it be possible to execute RCE through ' – Emanuel Beni Sep 07 '20 at 07:09
  • *"Is there anything that can be achieved from script tag other than XSS?"* - I don't really understand. What else do you want with a script tag apart from executing script (which exactly is the point of XSS). And sure there might be some broken server which executes something local on the server - but like with XSS this would actually require a server vulnerable exactly to this and there is no generic RCE or XSS against some generic upload. – Steffen Ullrich Sep 07 '20 at 07:47
  • @SteffenUllrich, That's why I am asking the question whether anything can be done in order to exploit other vulnerability through the same attack vector. You don't have to answer my question with that attitude. Thank you though for the answer, wished you could've just answered it nicely without re-quoting and adding unnecessary comments. Thanks! – Emanuel Beni Sep 07 '20 at 11:05
  • The same attack vector usable for XSS can not be used for RCE since XSS is code execution on the client side and RCE is code execution on the server side. Sure, one could implement a deliberately vulnerable server where the same attack vector can be used for both but it is very unlikely that you'll find something like this in the wild. – Steffen Ullrich Sep 07 '20 at 15:17
  • I voted to reopen because the question in the form it's now seems clear to me – Arminius Sep 08 '20 at 08:46

1 Answers1

0

The XSS payload is only executed in the context of the uploader, so basically the only way to abuse is by social engineering a victim to upload your file.

Of course, you would want to make the payload more interesting first. This is just checking the regular XSS abuse methods. For instance, check if any sensitive cookie is missing the HttpOnly-flag which could be extracted. Your options will be limited since you are restricted to file names, but it may be possible.

Wouter
  • 397
  • 1
  • 12