A file upload is a great opportunity to XSS an application. User restricted area with an uploaded profile picture is everywhere, providing more chances to find a developer’s mistake. If it happens to be a self XSS, just take a look at the previous post.
Basically we have the following entry points for an attack.
The filename itself may be being reflected in the page so it’s just a matter of naming the file with a XSS.
Although not intended, it’s possible to practice this XSS live at W3Schools.
Using the exiftool it’s possible to alter EXIF metadata which may lead to a reflection somewhere:
$ exiftool -FIELD=XSS FILE
$ exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ brute.jpeg
If the application allows the upload of a SVG file extension (which is also an image type), a file with the following content can be used to trigger a XSS:
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
A PoC (Proof of Concept) is available live at brutelogic.com.br/poc.svg.
To create such an image just use this as content and name it with .gif extension:
As we can also see below, the file UNIX-like command along with the PHP functions exif_imagetype() and getimagesize() recognize it as a GIF file. So if an application is using just these to validate the image, the file will be uploaded (but may be sanitized later).
There are more elaborated examples of XSS using image files, usually bypassing filters like the GD library ones. A good example of that is here.