webPromedium
Lab 49 — PixelVault — Stored XSS via Malicious SVG Upload
hackadvisor
Task: File-sharing platform accepting SVG uploads served with image/svg+xml content-type, admin bot visits reported URLs. Solution: Upload malicious SVG with JavaScript that exfiltrates admin cookies via same-origin comments API.
$ ls tags/ techniques/
svg_xssadmin_bot_exploitationstored_xss_via_uploadsame_origin_exfiltrationcomments_api_exfiltration
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 342 — CloudVault — Stored XSS via Malicious SVG Upload— hackadvisor
- [web][Pro]Lab 393 — ShareVault — Stored XSS via File Browser innerHTML— hackadvisor
- [web][Pro]Lab 314 — PixVault — ExifTool DjVu RCE via Image Upload— hackadvisor
- [web][Pro]Lab 82 — PixelVault — SQL Injection via User-Agent in Activity Logging— hackadvisor
- [web][Pro]Lab 56 — DataPulse — XXE to SSRF via SVG Avatar Upload— hackadvisor