From SSRF to XSS: How Image Parameters Become Your Entry Point for Cross-Site Scripting + Video

Listen to this Post

Featured Image

Introduction:

When testing web applications, security researchers often focus on Server-Side Request Forgery (SSRF) within image upload or URL parameters. However, when SSRF fails, a more dangerous vector often emerges: Cross-Site Scripting (XSS) injected directly into the same image URL fields. By leveraging SVG payloads and polyglot files, attackers can bypass input validation to execute malicious JavaScript in a victim’s browser, turning a failed SSRF attempt into a successful client-side compromise.

Learning Objectives:

  • Understand how to pivot from SSRF testing to XSS exploitation using image parameters.
  • Learn to craft and encode SVG-based XSS payloads to bypass common filters.
  • Identify mitigation strategies including Content-Type validation and Content Security Policy (CSP) implementation.

You Should Know:

1. Decoding the Payloads: From Base64 to Execution

The original post highlights several payloads designed to bypass image parameter filters. The first payload, <svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>, uses Base64 encoding to hide the JavaScript. Decoding `YWxlcnQoJ1hTUycp` reveals alert('XSS'). This technique evades filters that scan for plaintext JavaScript keywords like `alert` or script.

To test this manually, save the payload as an `.svg` file or inject it directly into an image URL parameter. If the application renders the SVG, the `onload` event triggers.

Linux Command to decode Base64:

echo "YWxlcnQoJ1hTUycp" | base64 --decode

Windows PowerShell Equivalent:


2. Crafting Advanced XSS Payloads for Image Parameters

Moving beyond simple alerts, attackers use the `window.name` property for persistent or stealthier exploits. The payload `` allows the attacker to store the malicious script in the `window.name` attribute, which persists across page navigations, making it ideal for chaining exploits.

Another effective technique is the polyglot file: "><svg onload=prompt(document.domain);>.png. Here, the attacker closes an existing HTML attribute with `”>` and injects an SVG tag. The file extension `.png` tricks the server into treating it as an image while the browser interprets it as HTML/SVG.

Step‑by‑step exploitation:

  1. Identify a parameter that accepts a URL or filename (e.g., /avatar?url=image.jpg).
  2. Replace the value with an SVG payload: "><svg onload=alert(1)//.png.
  3. If the server reflects the input inside an `img src` tag without sanitization, the browser executes the script.

3. Bypassing Content-Type and Extension Filters

Many servers validate file uploads by checking the extension (e.g., .jpg, .png) or the `Content-Type` header. However, browsers are lenient. If the server serves an SVG file with a `Content-Type: image/png` header, the browser may still render the SVG and execute JavaScript due to MIME type sniffing.

To test this, an attacker can use the following multi-line payload:


<svg xmlns="http://www.w3.org/2000/svg">
<script>alert('XSS')</script>
</svg>

If the server does not strip script tags but allows SVG uploads, this simple file will trigger XSS upon viewing.

Linux command to create a malicious SVG:

echo '<svg xmlns="http://www.w3.org/2000/svg"><script>alert("XSS")</script></svg>' > exploit.svg

4. Leveraging WAF Evasion with Obfuscation

Web Application Firewalls (WAFs) often block common XSS patterns. Attackers use techniques like breaking tags with `` or mixing case. The payload `` uses HTML comments to break the string `alert` into segments, preventing regex-based detection.

For advanced evasion, combine this with JavaScript events like onload, onerror, or `onmouseover` within SVG or HTML tags.

Example of an event-based polyglot:

<img src="x" onerror="eval(atob('YWxlcnQoJ1hTUycp'))" />

This payload uses an image source error to execute the Base64-encoded script.

5. Mitigation Strategies: Hardening Image Parameter Handling

To defend against these attacks, developers must implement strict validation at multiple layers.

Content-Type Validation: Reject files whose MIME type does not match the declared extension. Use `file` command on Linux to verify:

file --mime-type exploit.svg

Sanitize SVG Files: Remove `