Quantify Cyber Risk Now

header ads

XSS via File Upload | Lucideus Research

Introduction to “document.domain”
The document.domain pulls a default from the actual URL if not explicitly set. Browsers will record if document.domain has come as a default from the URL or if it was explicitly set. Both must be a default for the same domain or both must be explicitly set to the same domain for this to work. If one is the default and one are explicitly set, both matching if read, the two pages will still be forbidden from talking with each other. [1]

Lab Environment
OS: Kali 17.3
Web Server: Hosted on XAMPP in Win 7 Machine.
Tools : Exiftool[2]

Proof of Concept
First, the attacker accesses the Web Application having file uploading functionality. The page with the uploading functionality can be used from here.

Uploading a file named with XSS query because XSS file name would be reflected in the Web Page and executed as a payload.
                        XSS Query : ><img src=x onerror=alert(document.domain)>

It will further execute by prompting a popup having Web Server’s IP. In the real-life scenario, the web page will be getting data and replies from the Web Server, as the document.domain function will execute and tell the details of the Web Server a web application is servicing with.

Another way of doing XSS by file upload is changing the “Metadata” of the file. Metadata is the information of a file which makes its working and finding easier. These data are basic like file size, file author, date created, date modified etc. So, by putting and executing an XSS payload into a metadata of the file, it will further lead in executing the code and give us our desired data without letting anyone know.

For changing the metadata and adding payload script into the file of the metadata, we will be using Exiftool in our attacking machine. Firstly checking the Metadata of the image “lucideus.jpeg”.

 After getting knowing the Metadata, changing the name of the Artist as an XSS Payload so that it can further execute. 

After manipulating and adding the payload, re-checking the file, that does the metadata of the file has been changed and manipulated.

After adding payload in the metadata, uploading the file in the web application. NOTE: if it doesn’t get any response, try adding more queries in other properties of metadata through ExifTool as in “Creator” field etc. 

As we upload the image, it will work as same like the above result and displays us the details of the Web Server through (document.domain).

Thirdly, if a attacker uploads a GIF image, that GIF can embed javascript payload into it as in a Metadata only. When the attacker calls and executes that GIF, the javascript will be executed and bring out the results. First, the GIF will be uploaded to the Web Application.

And the GIF is stored in the directory uploads /.


XSS not only occurs when an attacker inputs any Javascript Payload in the Input parameters of the Web Application, it can also be possible in the ways which we just discussed above. To get secured from these attacks a developer can use HTML encoding and then deploy JavaScript encoding to all untrusted input parameters.For more developers must refer OWASP Cheat List on XSS Evasion.

Post a comment