Note

web php xss session upload-progress stored-xss

Combine an upload-progress session-file write with a read/quote endpoint that renders the contents as active HTML.

XSS through Reflected Session-File Contents

The upload-progress session file becomes stored attacker HTML, and the read/quote endpoint becomes the renderer. The session mechanism supplies persistence; the reflection sink supplies execution.

Why It Works

Content planted in /tmp/sess_* is later read and injected into an active HTML context with no escaping.

Vulnerable Pattern

File-read or quote-render routes placing file contents into innerHTML, template output, or another active HTML context.

Exploit Flow

Plant the payload via session upload progress first.
Route the bot or admin to the reflection page that reads and injects the session-file contents.
Use a local exfiltration primitive such as console.log if outbound network access from the bot is restricted.

Variations

Inline event handlers, SVG payloads, or DOM-clobbering content if CSP blocks classic script execution.

Common Blockers

HTML escaping on the reflection page, or the bot not exposing output in a visible place.

PoC Sketch

# after planting the upload-progress session file, force the app to render it via a quote/read page:
<img src=x onerror=console.log(document.cookie)>

Good Situations To Use It

You can write into a session file (see upload-progress primitive).
A read/quote endpoint renders file contents as HTML.
A bot/admin can be driven to that page.

Sources

fcsc2026/web/shellfish_say