Stored XSS via File upload vulnerability...!

Hello Everyone...!

XSS Alert! ⚠️ SVG File Upload Vulnerability...!

We can execute the JavaScript using SVG file...!

SVG file code :

"""

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 500">
<script>//<![CDATA[
alert(document.domain)
//]]>
</script>
</svg>

""" 

Scenario:

Let's use mnop.com (hypothetical website) as an example. This website allows users to share photos with descriptions. You discovered that mnop.com wasn't properly checking the source code of uploaded files. This meant someone could have uploaded a malicious SVG image containing JavaScript code that would display an alert box when someone viewed the picture. This is called a Cross-Site Scripting (XSS) vulnerability...!

BOOOOMMM...!

When I go to that photo then the XSS popup occur.

My Actions:

• I responsibly reported the issue to mnop.com's team, but it turned out to be a duplicate report. Good on them for being proactive in security...!

At that phase I don't know about PHP shell,  So I didn't try that.

If you get any chance to upload file then give it try to upload SVG file or PHP shell file...!

Important Note:

• Uploading malicious files of any kind, including PHP shells, is not only unethical but can also have serious legal consequences. Let's work together to keep the internet safe for everyone...!

Stay safe and have fun online...!

Thanks for reading till the end...Comment box is yours fill free to ask any doubt regarding this...!