Injection: Stored XSS via File Upload¶

Identifier: file_upload_stored_xss

Scanner(s) Support¶

Description¶

Stored cross-site scripting via file upload (CWE-79) occurs when an application accepts a user-supplied file that is later rendered inline by a browser without a safe Content-Type and Content-Disposition. Common vectors include SVG (XML with embedded <script>), HTML, PDFs with JavaScript, and polyglot image/HTML files.

How we test: For each detected upload endpoint we submit a tiny canary file with executable inline content (SVG containing <script>, HTML with <img onerror=fetch(OOB)>, PDF with JavaScript, polyglot GIF+HTML, and a content-type override variant). Each variant uses a per-scan canary filename so it cannot collide with real customer files. Confirmation requires both: (a) the file is retrievable via the inferred retrieval URL, and (b) the retrieval response carries an active rendering Content-Type such as image/svg+xml or text/html and the <script> payload is reflected verbatim. We never load the file in a real browser; the OOB callback to ssrf.tools.escape.tech provides a second-source signal when the application stores files behind authenticated CDNs.

Every probe emits a context.info event with the raw multipart request and the retrieval response as attachments.

References:

• https://owasp.org/Top10/A03_2021-Injection/
• https://cwe.mitre.org/data/definitions/79.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  file_upload_stored_xss:
    skip: false

Reference¶

skip¶

Type : boolean

Skip the test if true.