XSS through image proxy using SVG image

Hi everyone, today’s story will be short because there are not many details in it.

I got a private invitation to hunt in the program, once I opened the website, I used to check the place of images and JS files, because if they are uploaded on service like Amazon S3 bucket, I will scan this bucket.

When I clicked on a random image I saw the link of image like this:

https://company.com/1/2010/1920/https://example.s3.amazonaws.com/images/a1.jpg

From here I have two thing to do, the first thing is to scan S3 bucket to know if there is a misconfiguration or not .. here is my writeup to know how to scan this type of misconfiguration.

The second thing I did (which it is the reason to write this writeup) is check if the endpoint accepts an images from my host or not, I tried and it works.

I tried a files with different extensions to know if I can exploit SSRF, but unfortunately the endpoint only accept images extension.

The last thing I tried, I made an SVG file contain my XSS payload. After I made it I put my SVG file URL in the endpoint and the vulnerable link was like that:

https://company.com/1/2010/1920/https://attacker.com/payloads/poc.svg

Contrary to what I expected, the alert got from the company’s host and not from my host.

How to fix?

The team fixed the bug through make the proxy only accept images from their S3 bucket that belong to them.

Thanks for your reading, I hope my story was useful.