During a security assessment of an authentication web application, I identified a Persistent Cross-Site Scripting (XSS) vulnerability in the document upload functionality. The application was designed to accept only .pdf files; however, this restriction was enforced solely on the client side.

By intercepting the upload request using Burp Suite, I modified the filename from .pdf to .html, changed the Content-Type header from application/pdf to text/html, and replaced the file body with a JavaScript payload:

<script>alert(document.domain)</script>

After forwarding the manipulated request, the server accepted and stored the file without proper validation. When the uploaded document was later accessed through the application, the embedded script executed in the victim's browser context, confirming a Persistent XSS via Document upload.

This issue demonstrates insufficient server-side validation of file type and content, allowing an attacker to bypass intended restrictions and inject executable HTML/JavaScript into the application.

I hope you guys find this helpful and take this as a reminder to always enforce strict server-side validation for document uploads.