XSS Via SVG File Upload

Hello and welcome to my latest Medium writeup! I’m thrilled to share my thoughts and insights with you today on How I found a XSS Bug using file upload. Since, the application is private program, I had to follow non-disclosure, and had to modify any burp poc, target details etc. For now, lets call the target redacted.com

I usually start my hacking with basic reconnaisance, gaining info on the targets functionalities, parameters, pages and reading JS code for sensitive info. There was a registration functionality in the page, and after registration by default you will be an admin user for your dashboard. You can add other users into your dashboard and assign them user roles lets say read only user.

After registration into the dashboard using my victim email id, I quickly observed the dashboard, which had several tabs on the top including an admin tab, where I could perform all the admin level tasks, to make changes to the application, add/delete users etc.

I invited my attacker email user into the application with readonly user privileges, and activated his account.

Now as an attacker user, I tried everything in the application. The application was using cloudflare, hence all my xss, sqli and lfi testcase attempts did not work as it was blocking me. I looked up and tried different cloudflare bypass xss payloads, and nothing worked. Finally, I turned on my burpsuite intercept, and refreshed by read only users browser page, and observed each request/response one by one.