I’m working in a lab and I found a upload endpoint which I believe is not properly sanitizing the uploaded content so I have the suggestion of testing with XSS injected in the file that will be uploaded, I have tried many way I’m familiar with, none of it works so I’m stuck. I need help.
I also think the reason my trials were not successful is because the img is opened via the website and not on system itself.
I have tried injecting XSS to png, jpg and other files, none of it working.
whats the website running on ?
is it php ?
or react with api ?
are images uploaded are going to buckets or or base file system ?
Site running on PHP and have JS libraries. Uploaded file are stored on system not bucket.
I have been able to bypass and get the malicious file to the backend, but there’s another issue. In my malicious content, I added document.cookie and sent to my listening server, the victim server ping back but the cookie is not attached, I did more digging and found out that the cookie is tagged httponly which means it can only be access on the same site or IP, so my question is, what other way can I use to exploit this and the cookie to pop back?
I’m testing on the server I have authority to test.
why cookie ? if its getting in backend and u got ping then why not get reverce shell ?
I’m running the payload script in js which wont allow me to run os_command and the guideline I found relies on leveraging XSS exploit which is used to retrieve admin cookie. Your idea will be appreciated boss.