During the course of my testing I have come across many cases of XSS which occur because of the File upload functionality.

I have seen this vulnerability in some highly secure applications. In one of the applications, the application was logging me out whenever I tried any XSS payload but XSS through file upload functionality was simple to execute. In another application output encoding was implemented throughout the application expect for the upload page.

Also I have not only been able to get Reflected XSS but also stored XSS through this.

How was this possible?

Reflected XSS:

Case 1: The application was returning the file name of the uploaded file in application response to indicate that the file was successfully uploaded. I inserted a JavaScript payload for an alert box as part of the filename in the request. The payload was reflected back and a pop-up appeared in the browser.

Case 2: The application was returning an error message if the content of the application was not valid. The application was actually returning the content of the file in application response as part of the error message. I intercepted a file upload request and replaced the content of the file with the payload. The JavaScript executed, confirming XSS.

Stored XSS:

Case 1: The application allowed upload of files in a document sharing forum. The application was meant to collaborate and share documents while working on projects/ with a team. These documents could then be opened in the browser. I was able to upload an html file with JavaScript. Since this file was stored and the JavaScript executed every time that file was opened it confirmed Stored Cross- site Scripting.

Case 2: This happened through uploading an image file. The application had a functionality to upload a profile picture of the user. I opened the image file using Notepad and saved some JavaScript in it. I then uploaded the file which was accepted successfully by the application as the application was validating only file-extensions. I then clicked the image in the browser and JavaScript got executed!

Case 3: This is a case where I changed the filename after intercepting the request in Burp and modified the filename to contain JavaScript. There was a page which displayed a list of all uploaded files. This was where the JavaScript executed as it was accepted as a valid file name.