Cenzic 232 Patent
Paid Advertising
web application security lab

Embeding SVG That Contains XSS Using Base64 Encoding in Firefox

You can’t make this stuff up - nEUrOO alerted me to an interesting XSS vector I hadn’t seen before. Yup, you can embed JavaScript in SVG - and you can embed SVG with an Embed tag using Base 64 encoding - and yes, that works in Firefox. Normally I’d blow something like this off, because if you can use Embed there are a lot of other worse things you can do - however this one is slightly different.

With Embed generally you have to already have the plugin installed to use it. In this case, in Firefox you don’t have to do anything - requiring no user interaction, unlike a Virus or something more malicious. That’s really the primary goal of the Cheat Sheet is to find ways to execute JavaScript without user interaction and this definitely fits that criteria in a pretty bizarre way. Carrying the payload with you is pretty sexy too, which means you can’t just shut down one command-and-control server to get the exploit to stop propogating (in the case of a worm). Interesting stuff, and nice find, nEUrOO!

Comments are closed.