Skip to content

Latest commit

 

History

History
22 lines (15 loc) · 1.09 KB

xss from img for S3 bucket.md

File metadata and controls

22 lines (15 loc) · 1.09 KB

From .jpg to XSS with S3 Bucket

When it is useful?

If we found url that load from S3 Bucket image with .jpg extation and we can takeover this bucket.

STEPS

  1. Check bucket exist or not. Detection in response NoSuchBucket or The specified bucket does not exist
  2. Takeover this bucket name
  3. Make bucket public: Permissions tab -> Block public access Edit -> uncheck Block public access
  4. Download https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/SVG_XSS.svg
  5. Rename SVG_XSS.svg to img.jpg , for example: in source we found http://noneexixs.s3.amazonaws.com/img.jpg
  6. upload img.jpg to taken S3 bucket
  7. Make this img.jpg public,U can do it, check file, tap on Action buttion and Make Public
  8. Change Metadata: check again img.jpg, tap Action button -> Edit metadata, changeContent-Type from image/jpeg to image/svg+xml
  9. Open in browser http://noneexixs.s3.amazonaws.com/img.jpg

Again open url where we found s3 bucket in a source and we will get XSS popup.

Happy Hunting!