XSS [ Failed ]
- Application allowed uploading files via drag/drop and file explorer. While appending filename in dom it wasn't santizing filename which allowed xss using filename ie
<svg onload=alert(xss)>.html - Since type of xss is self here. It means user had to upload such files with malicious name to trigger the xss which is no fun . So I tried exploring other ways to make user upload filename with a xss payload to cause client side dos. Since it was listening for drag/drop events, I decided to go with drag/drop abuse.
from flask import Flask, send_file
import urllib.parse
app = Flask(__name__)
@app.route("/payload")
def hello_world():
return send_file(
"file.png",
attachment_filename=urllib.parse.quote_plus("<h1>hello</h1>.png"), as_attachment=True)
@app.route("/")
def index():
return '<img src="/payload" >'
app.run()- Above attempt fail as browser was converting special chars before saving filename or on drag.
<to_
Also Drag/drop wasn't working when I was draging element from parent to target iframe ummmm SOP? . This seems to work fine if its been dragged across the tabs.
CORS Bypass
- While reviewing source code of velog.io found cors bypass. Below in regex dot is not escaped so it allows bypass cors.
https://github.com/velopert/velog-server/blob/93c93952f5142fb5b493aa075f0c35637677815b/src/lib/middlewares/cors.ts#L21
- if site has samesite lax
GET/POSTnormal html form csrf would work :/ only iframe/JS event cookies won't be sent. While samesite strict won't event send cookies withGET/POSTForm. - Note for self confirm later if firefox has samesite None by default.