And I’ve got a tip for when you come across a file upload that only accepts images. If the application allows SVG image types, you may have just found yourself a stored XSS vulnerability!
Using the code in the below image, you can execute JavaScript on the victim application. Just copy into a file named ‘test.svg’ and upload it! Short, simple, and sweet.
