Exploiting the end user | Cross Site Scripting via svg files

Post Pic Not Available

As i am proceeding with my masters study(M.Tech) in computer science , the broad research topic i will be researching upon is Web Application Security . Under that broad area the specific research i have selected is , What are the various ways to exploit the end user means the client side . So i will be focussing on exploiting via daily life objects of virtual world which we use every time like images , videos , docs etc. Wish me luck with that :)
Coming on the point , I was reading the research work of Mario Heiderich titled "The Image that called me" presented in year 2011(Doc link at the end of post). The whole research is about security in svg files . I thank to the author for this awesome work . For those who are not aware of what svg is, Go wiki . Its the year 2015, svg became a big part of web applications. Most of the web based projects include svg for a clear and interactive user experience . Svgs now falls under the images category . Many of the websites now allow svg files to be uploaded under images category . But did they filtered the content of svg file before placing it on the server ? The answer is ummm...? . To verify this answer what i did is created a svg file with a XSS vector below and started testing the websites that allow images .
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>
Vector credits : https://html5sec.org/#43
Demo : http://jasminderpalsingh.info/ts.svg

The result was quite interesting , Most of the files hosting websites was vulnerable to this attack. I thought to tweet about it to collect responses of other fellow researchers.

The same day of tweeting i received POCs of this vulnerability in many websites.

Above POCs Via @hackerspider1
I will posting the second part of this post with the mitigation of this vulnerability and more details if any . For now thanks for bearing the wall of text . See ya :)

-Jasminder Pal Singh

Share It!


comments powered by Disqus