XSS via file upload

I found xss via file upload here i uploaded svg file which stored in google cloud and reflected with xss

1) login at app.xyz.com
2) go to online store >> settings >> Email Notification >> Email design
3) click edit
4) Upload the file with svg payload
5) save the file and open image in new tab

But it’s marked as duplicate

Next day I observed that bug got patched and we can’t do xss anymore.

But after I saw url changed

https://images.xyz.com/s/cdn/v1.0/i/m?url=https%3A%2F%2Fstorage.googleapis.com%2Fproduction-xyz-v1-3%2F823%2F1134823%2FUc1iyTw%2Fe843c14e4a5f46c6898aeb3133ea1a30&methods=convert%2Cpng

After URL decoding

https://images.xyz.com/s/cdn/v1.0/i/m?url=https://storage.googleapis.com/production-xyz-v1-3/823/1134823/Uc1iyTw/e843c14e4a5f42c6898aeb3133ea1a30&methods=convert,png

What if I remove the convert part from url.

Oh we get pop up again

After reporting it’s got triaged

--

--

--

eJPT | Security Engineer | Pen tester | Bug Hunter | Pro hacker at HTB | CTF Player | Bug-crowd Top 1100 Hackers Globally

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

I Still Love jQuery — And You Should, Too.

The Bane of Immutable React State

debugging parcel: no transfomers found for png file

Every time I see the learning curve argument I wonder if I am using the wrong version or some light…

SPA, or not SPA, that is the question!

How to create responsive UI with styled-components

Combine this with the fact that people are emotional beings and they make

The Stack — what is it exactly, and how does it work in JavaScript?

Stack of pancakes

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jay Sharma

Jay Sharma

eJPT | Security Engineer | Pen tester | Bug Hunter | Pro hacker at HTB | CTF Player | Bug-crowd Top 1100 Hackers Globally

More from Medium

PortSwigger Lab: Web shell upload via Content-Type restriction bypass | WalkThrough

Understand Broken Authentication in 3 minutes

XSS Discovery and Exploitation With BurpSuite

A Peculiar Case of XSS and my first bug