s3-minio-content-type-xss
CommunityExploit S3/MinIO Content-Type overrides for stored XSS.
System Documentation
What problem does it solve?
This Skill addresses stored cross-site scripting (XSS) vulnerabilities in web applications that serve user-uploaded files from public S3 or MinIO cloud storage buckets, where attackers can override the Content-Type response header to bypass upload-time validation controls and execute malicious scripts under the target's origin.
Core Features & Use Cases
- Dual storage system support: Includes exploitation workflows for both MinIO and compatible storage systems (anonymous Content-Type override) and AWS S3 (signed presigned URL generation for overrides).
- Upload validation bypass: Provides polyglot file crafting techniques to pass extension whitelist and magic byte checks during file upload, ensuring malicious payloads reach the bucket.
- Use case: During an authorized penetration test of a social media platform that stores user avatars in a public MinIO bucket served under the platform's own domain, use this Skill to turn a benign uploaded avatar file into a same-origin stored XSS payload that steals user session cookies.
Quick Start
Use this skill to test a target's public file serving endpoint for S3 or MinIO Content-Type override vulnerabilities and generate a working same-origin stored XSS payload if the bucket is exploitable.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: s3-minio-content-type-xss Download link: https://github.com/uphiago/recon-skills/archive/main.zip#s3-minio-content-type-xss Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.