๐ Reflected XSS via File Upload on Sony
Posted on June 22, 2025 ยท Category: XSS
Hi,
I discovered a reflected XSS vulnerability via file upload on a Sony subdomain.
Target
Main application: https://*.*.*.sony.com/#/PATH1/PATH2
Vulnerable Link
After uploading a file, the file gets hosted on:
https://*.*.*.sony.com/uploads/PATH1/bnUnlZzw_js_injected_xss.pdfThis link can be shared with any user, and when opened, the injected XSS payload executes.
Impact
- Reflected XSS on a Sony subdomain
- Payload embedded in uploaded PDF filename or response
- Can lead to account takeover via session theft or malicious actions
Reproduction Steps
- Navigate to:
https://*.*.*.sony.com/#/PATH1/PATH2 - Fill in all required form details
- Click Continue to proceed
- Upload the crafted file:
js_injected_xss.pdf - Get the uploaded link and send it to any victim
๐ท Proof of Concept Screenshot:
Payload Location
The file name or part of the PDF was reflected in the response without proper encoding, triggering the script.
Recommendation
Implement proper output encoding of filenames/paths in the response. Avoid reflecting user-generated input into the response without sanitization. Consider CSP and MIME type validation for uploaded files.
๐ Reward
I was awarded swags for this report.
