Penetration Test Report

Stored Cross-Site Scripting (XSS)

Title: Stored Cross-Site Scripting (XSS) in File Upload Functionality

Severity: High

Vulnerability Description:

The application allows users to upload image files. However, the file upload feature does not properly validate or sanitize the uploaded file type and content. As a result, it is possible to upload a malicious SVG file containing JavaScript payload.

When other users view the uploaded file, the malicious script is executed in their browsers, leading to potential account takeover, data theft, or session hijacking.

Steps to Reproduce:

Login to the application and navigate to the Upload File section.

Create a malicious SVG file with the following payload: