Would you consider this as a Self XSS?


I found a form where if a user uploads a file of a type that is unsupported, the name of the file is not sanitized at all and reflected back to the user.

For example if a file with the name is uploaded, the name is then embedded in the page, causing an xss to trigger.

However, it is important to note this is NOT a stored xss as the name of the file is embedded as an error message. “Filename is not supported”. The file is never actually uploaded server side.

My question is, is this counted as a self xss? I believe it is because it requires the user to upload a specific file but I am not sure as reading up on other reports have made me a little confused.


Hi @00dc.

It’s very hard too get a report about that issue accepted. It is self XSS, but in very rare occassions you will get that kind of issues rewarded. A few years ago Google accepted and rewarded those kind of issues, but I don’t know if they still do.


Thanks for your input Stefan.

The page in question seems to be an internal page. The interesting thing is it requires some request code to be inputted and validated before even a valid file is uploaded to the server (the code is validated server side so could not find a way to recreate the code).

Judging by how seemingly insecure the page is, I was wondering whether it was worth to try and find a way to bypass the file extension to enable php files to be accepted.

Then the self xss could be used as an entry point to capture the request code from a legitimate user (by convincing them to upload the vulnerable file), and then knowing that we have a way to enable php files to be uploaded as acceptable format, could lead to potential RCE.

Is this avenue worth investigating or is this too many hypothetical?

The program in question is a simple program that rewards thanks for finding a bug and like most programs does not want a Self XSS submitted.

I enjoyed reading your PayPal XSS report btw.


Hi @00dc.

It is probably worth it to try to upload any kind of file. There is a extension for Burp called “Uploader Scanner” or something like that. I used it one or two times without success, but I know a guy who got 2 RCEs a few weeks ago using that tool.

If you have to convince the users, then I see it very unlikely that the program is going to accept the report.

I wouldn’t bother spending your precious time in programs that do not reward with money your findings.

:grinning: :+1: