Open Redirect Via File Upload

Open Redirect with the File Upload functionality is not widely seen or talked about but still possible to execute under specific conditions. It is possible to create a payload that results in redirecting users to an attacker-controlled domain, an open redirection scenario can be crafted.

Steps of Reproduction:

Save the below code as .svg file.

<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><image xlink:href="https://example.com/imag.jpg" height="200" width="200"/></svg>

2. Upload the file, Try to retrive a file.

Reference:

https://hackerone.com/reports/368927

https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-009