dutchcoders/transfer.sh
1
0
Fork 0
mirror of https://github.com/dutchcoders/transfer.sh.git synced 2026-02-03 14:13:26 +00:00
Code Issues 48 Actions Packages Projects Releases Wiki Activity

Transfer.sh Vulnerable to Stored XSS #100

New Issue
Closed
opened 2026-01-19 18:28:58 +00:00 by michael · 0 comments
michael commented 2026-01-19 18:28:58 +00:00
Owner
Copy Link

Originally created by @blind-intruder on GitHub.

Hi,
I am Farhan, a professional cyber security researcher & penetration tester from Pakistan. I was reviewing the code of the transfer.sh and I found that it is possible to achieve Cross Site Scripting (XSS) on transfer.sh.

Steps to Reproduce:

  • Create a file without any extension, example: "poc"
  • Add this HTML in this file "<h3 onclick="alert('XSS')">click me</h3>"
  • Save this file
  • Upload this file in the transfer.sh
  • You will get a url something like this: https://transfer.sh/OHTwGK/poc
  • Modify this url and add "inline" just after https://transfer.sh/
  • Now the url will look like this: https://transfer.sh/inline/OHTwGK/poc
  • Open this url in browser and click on the "click me" text and notice the prompt

How to Fix it:
In the file /server/handlers.go find this code: line # 1035:
https://github.com/dutchcoders/transfer.sh/blob/main/server/handlers.go#L1035

if action == "inline" {
      disposition = "inline"
}

Replace this code with the following to add proper content type:

if action == "inline" {
      disposition = "inline"
      contentType := "text/plain"
}

Proof Of Concept:
Open the following url and click on the "click me" text and you will see an alert popup, which confirms XSS.
https://transfer.sh/inline/OHTwGK/poc

Originally created by @blind-intruder on GitHub. Hi, I am Farhan, a professional cyber security researcher & penetration tester from Pakistan. I was reviewing the code of the transfer.sh and I found that it is possible to achieve Cross Site Scripting (XSS) on transfer.sh. **Steps to Reproduce:** - Create a file without any extension, example: "poc" - Add this HTML in this file "`<h3 onclick="alert('XSS')">click me</h3>`" - Save this file - Upload this file in the transfer.sh - You will get a url something like this: https://transfer.sh/OHTwGK/poc - Modify this url and add "inline" just after https://transfer.sh/ - Now the url will look like this: https://transfer.sh/inline/OHTwGK/poc - Open this url in browser and click on the "click me" text and notice the prompt **How to Fix it:** In the file /server/handlers.go find this code: line # 1035: https://github.com/dutchcoders/transfer.sh/blob/main/server/handlers.go#L1035 ``` if action == "inline" { disposition = "inline" } ``` Replace this code with the following to add proper content type: ``` if action == "inline" { disposition = "inline" contentType := "text/plain" } ``` **Proof Of Concept:** Open the following url and click on the "click me" text and you will see an alert popup, which confirms XSS. [https://transfer.sh/inline/OHTwGK/poc](https://transfer.sh/inline/OHTwGK/poc)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
docker
enhancement
hacktoberfest
help wanted
invalid
question
storage provider
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dutchcoders/transfer.sh#100
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?