Reflected XSS via File Upload on Sony

2 min readJun 22, 2025

Hi,

This is my first writeup! I discovered a reflected XSS vulnerability via the file upload feature on a Sony subdomain. This vulnerability allowed JavaScript payloads to be executed through a crafted file upload, posing serious risks such as session hijacking and unauthorized actions.

Main application(target):
https://*.*.*.sony.com/#/PATH1/PATH2

How I Found the Subdomain

I used the Project Discovery Chaos database (https://chaos.projectdiscovery.io/) to enumerate Sony subdomains. To identify live and responsive subdomains, I filtered the results using the httpx-toolkit as follows:

Initial filtering to find alive hosts:

httpx-toolkit - silent

Further filtering to keep only HTTP 200 OK responses:

httpx-toolkit --silent -sc | grep 200

This process helped me identify a live Sony subdomain hosting the vulnerable application where I performed the file upload test.

Vulnerable Endpoint

Once a file is uploaded through the form, it becomes publicly accessible:

https://*.*.*.sony.com/uploads/PATH1/bnUnlZzw_js_injected_xss.pdf

This file, when accessed, executes the injected script due to improper output encoding.

XSS Payload File

You can view the crafted XSS payload file used in this test at:
👉 https://dr34m14.github.io/dr34m14/payloads/js_injected_xss.pdf

Reproduction Steps

Go to: https://*.*.*.sony.com/#/PATH1/PATH2
Complete all required form fields.
Click Continue to proceed.
Upload the crafted PDF: js_injected_xss.pdf
5.Retrieve the public URL of the uploaded file.
Share the link with a target — the payload will trigger upon visiting.

Proof of Concept

Payload Location

The XSS was triggered by unsafe reflection of user-supplied input (e.g., filename or metadata) in the server’s response. The content was served directly in a way that allowed the injected script to execute.