How I Find Stored XSS (using .svg file Extension )

Ch4ndan das
2 min readSep 12, 2024

--

Hello Everyone,

I’m very Happy For good response my all article U can read

This is my 4rth article. in this article I will talk about how to find store xss vulnerability using .svg file extension. Let’s introduce myself I’m Ch4ndan das & I’m web penetration tester, From India | My English is not well so please don’t mind it.

Lets start !

I pick hackerone target let’s call target.com then start hunting only file upload functionality. If you also want to find this bug then U need to find all upload Fn you can use this google dork for find upload Fn

1. site:*.target.com intitle:”upload file” OR intitle:”file upload” OR intitle:”choose file”

2. site:*.target.com ”choose file”

I think manual this the best way for find upload functionality. and don’t forget to check contact us , upload profile , you can also check in chat bot Fn.

Then u find all upload Fn. simply search svg xss payloads and save .svg extension. u can use this code for check vulnerable via .svg

<svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">
<polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009900" stroke=”#004400"/>
<script type=”text/javascript”>
alert(“XSS by ch4ndan”);
</script>
</svg>

save this payload like this xss.svg then upload and see success fully uploaded 90% chance xss (If don’t know .svg extension u can search on google & chat gpt )

In my case I find upload function in chat bot, then send svg file success fully execute, then I quickly make poc and report on hackerone u can view in image

But again Duplicate 😌

Then I choose another target & find upload Fn in contact us form simply upload svg file and success fully uploaded then I make poc & report it u can see in image

Thank you everyone for Reading 🧡

Join My Telegram Chanel For Latest Update https://t.me/ch4ndan_das

U can view my LinkedIn Profile

Happy Hunting :)))

--

--

Ch4ndan das
Ch4ndan das

Written by Ch4ndan das

Bug hunt3r | Penetration tester | Ethical Hack3r

Responses (2)