9

Is there a working technique to execute XSS in modern browsers using a SVG file displayed on a web page with an <img src=""> tag?

I know a way to execute without <script> tag, but I don't know how to load a file using SVG or anything else, because XML breaks when I try using different tags to get my XSS working.

Is this actually possible?

Anders
  • 64,406
  • 24
  • 178
  • 215
Mega
  • 93
  • 1
  • 4

2 Answers2

12

No, it's not. Although SVG files can contain JS (see this), these will only get executed if:

  1. the user directly visits the .svg file in their browser
  2. the image is embedded within <embed> tags.

Modern browsers will never execute scripts in SVGs if it's within <img> tags.

And even in the two cases above, the server can provide CSP headers that stop the execution of such scripts.

undo
  • 2,075
  • 2
  • 12
  • 18
0

SVG images can contain CSS, CSS are a possible injection point for XSS

See https://stackoverflow.com/questions/3607894/cross-site-scripting-in-css-stylesheets And https://code.google.com/archive/p/browsersec/wikis/Part1.wiki#Cascading_stylesheets

Which both point out

As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url('javascript:...') directive on properties that support it; or by invoking browser-specific features such as the -moz-binding mechanism of Firefox.

So, yes, you can use user controlled SVG's to execute script in the domain of the host page.

Using Content-Security-Policy you can restrict where you expect to find styles or script. Another thing you could try is serve these SVG's in a sandboxed cross-domain iframe.

David Waters
  • 2,802
  • 2
  • 14
  • 14
  • 4
    Sorry, that's not correct. An SVG in an `` tag will not execute active script code. Also, JS in CSS expressions doesn't work in any modern browser. – Arminius Jul 04 '19 at 10:01
  • @Arminius Well, i've been testing SVG and CSS+XSS for 6 months now, i found that SVG XSS is still working with data URI's(found a way to make a double embedded execution today, and then it works in any page), not sure if it's a real security bug. And CSS+XSS can work but only on – Mega Jul 04 '19 at 23:26
  • @Mega Script code in SVGs is possible. But script code in SVGs embedded via `` is strictly not possible. (Unless you found a bypass that constitutes a severe security issue.) Also, injecting script code via CSS is not possible. That is, if I embed an image or a stylesheet of your choice on my site, you will not be able to execute any Javascript through that. – Arminius Jul 05 '19 at 00:16