XSS Via File Upload

While performing testing on file upload functionality, there are multiple ways to execute a cross-site scripting attack scenario. A file upload is a serious opportunity to find cross-site scripting (XSS) to a web application. Below are few ways to achieve XSS via File Upload-

1. XSS via Filename

2. XSS via Metadata

3. XSS via SVG file

4. Blind XSS via SVG

Reproduction Steps along with details of all the above methods can be found at one place in this awesome blog by Brutelogic. Check out the script to get Blind XSS via SVG file here.

Reference:

https://brutelogic.com.br/blog/file-upload-xss

https://hackerone.com/reports/964550

https://hackerone.com/reports/880099

https://hackerone.com/reports/1010466