SVG based Stored XSS

Goal before approaching the program

To find a one-click exploit (XSS or SSRF)

Approach

Found a target that has many features which included Discussion, Discovery, Mixtapes, Shorts, Activity and what not. I went ahead with looking at user dashboard.

Bypassing Filter

Only valid file that could have been uploaded was either jpeg or png file.

  • They were creating an api POST request with only the image header being sent. If the header is valid then there was another POST request that was uploading the actual file. No validation on this second POST request.
  • Here we can just send a valid png and in the second request we can replace the png contents with the svg payload.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store