Stored XSS on LaporBug.id

Learn System Security - Stored XSS on LaporBug.id ~

LaporBug.id is a Bug Bounty Platform from Indonesia, for more info about LaporBug.id you can open https://laporbug.id/.

I take a few minutes to look around LaporBug.id and check every single URL, parameter, form.

• https://laporbug.id/myprofile/edit

On this page, we have a form to upload a profile image.

When I upload my profile image, I try to change the extension of my image.

When I change the extension with .html, no errors and my file successfully uploaded on the server.

I also tried some sensitive extension like .php / .php5 / .phtml / .PhP;.png / .php%00.png but blocked by server:(

Don't worry, we still can use .html to make Stored XSS.
Next, I put an XSS Payloads on my image with exiftool.

Payloads: "><img src=1 onerror=confirm(document.domain)//>

**BOOM**

Thanks for:

• https://brutelogic.com.br/blog/file-upload-xss/
• https://exploit.linuxsec.org/fckeditor-bypass-shell-upload-with-burp/

#HappyHacking