Listen to this Post

Introduction:
When testing web applications, security researchers often focus on Server-Side Request Forgery (SSRF) within image upload or URL parameters. However, when SSRF fails, a more dangerous vector often emerges: Cross-Site Scripting (XSS) injected directly into the same image URL fields. By leveraging SVG payloads and polyglot files, attackers can bypass input validation to execute malicious JavaScript in a victim’s browser, turning a failed SSRF attempt into a successful client-side compromise.
Learning Objectives:
- Understand how to pivot from SSRF testing to XSS exploitation using image parameters.
- Learn to craft and encode SVG-based XSS payloads to bypass common filters.
- Identify mitigation strategies including Content-Type validation and Content Security Policy (CSP) implementation.
You Should Know:
1. Decoding the Payloads: From Base64 to Execution
The original post highlights several payloads designed to bypass image parameter filters. The first payload, <svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>, uses Base64 encoding to hide the JavaScript. Decoding `YWxlcnQoJ1hTUycp` reveals alert('XSS'). This technique evades filters that scan for plaintext JavaScript keywords like `alert` or script.
To test this manually, save the payload as an `.svg` file or inject it directly into an image URL parameter. If the application renders the SVG, the `onload` event triggers.
Linux Command to decode Base64:
echo "YWxlcnQoJ1hTUycp" | base64 --decode
Windows PowerShell Equivalent:
2. Crafting Advanced XSS Payloads for Image Parameters
Moving beyond simple alerts, attackers use the `window.name` property for persistent or stealthier exploits. The payload `
Another effective technique is the polyglot file: "><svg onload=prompt(document.domain);>.png. Here, the attacker closes an existing HTML attribute with `”>` and injects an SVG tag. The file extension `.png` tricks the server into treating it as an image while the browser interprets it as HTML/SVG.
Step‑by‑step exploitation:
- Identify a parameter that accepts a URL or filename (e.g.,
/avatar?url=image.jpg). - Replace the value with an SVG payload:
"><svg onload=alert(1)//.png. - If the server reflects the input inside an `img src` tag without sanitization, the browser executes the script.
3. Bypassing Content-Type and Extension Filters
Many servers validate file uploads by checking the extension (e.g., .jpg, .png) or the `Content-Type` header. However, browsers are lenient. If the server serves an SVG file with a `Content-Type: image/png` header, the browser may still render the SVG and execute JavaScript due to MIME type sniffing.
To test this, an attacker can use the following multi-line payload:
<svg xmlns="http://www.w3.org/2000/svg">
<script>alert('XSS')</script>
</svg>
If the server does not strip script tags but allows SVG uploads, this simple file will trigger XSS upon viewing.
Linux command to create a malicious SVG:
echo '<svg xmlns="http://www.w3.org/2000/svg"><script>alert("XSS")</script></svg>' > exploit.svg
4. Leveraging WAF Evasion with Obfuscation
Web Application Firewalls (WAFs) often block common XSS patterns. Attackers use techniques like breaking tags with `` or mixing case. The payload `
For advanced evasion, combine this with JavaScript events like onload, onerror, or `onmouseover` within SVG or HTML tags.
Example of an event-based polyglot:
<img src="x" onerror="eval(atob('YWxlcnQoJ1hTUycp'))" />
This payload uses an image source error to execute the Base64-encoded script.
5. Mitigation Strategies: Hardening Image Parameter Handling
To defend against these attacks, developers must implement strict validation at multiple layers.
Content-Type Validation: Reject files whose MIME type does not match the declared extension. Use `file` command on Linux to verify:
file --mime-type exploit.svg
Sanitize SVG Files: Remove `