zoukankan      html  css  js  c++  java
  • 【XSS技巧拓展】————10、Chrome XSS Auditor – SVG Bypass

    More than an year ago, in my private twitter account Brutal Secrets, I shared an interesting way to bypass Google’s Chrome anti-XSS filter called XSS Auditor. We will see now in details, from a blackbox perspective, a logical sequence of assumptions and conclusions that leads to our XSS vector responsible for the bypass.

    We start with a known source of trouble for all XHTML parsers (browsers) out there: Scalable Vector Graphics or SVG. Without getting deeper into the explanation of what SVG can do (check here), all we need to know is that SVG markup is way more complex than simple XML/HTML and full of unexplored resources for an attacker.

    Starting with a simple <svg> tag we proceed using an empty anchor, the <a> tag that creates an hyperlink. Nested to this anchor we will use a rectangle to create a larger clickable area, ending up with something like this:

    <svg><a><rect width=100% height=100%>

    check here

    We are now looking for a way to interact with the element but we can’t use event handlers due to Auditor’s blocking. So we will try one of the tags used in animations, notably the <animate> one. The <animate> tag takes an attribute (with attributeName) of a parent element (in our case the <rect> one) and manipulates its value, like “width” for instance. It creates the animation effect with the help of its own attributes “from”, “to” and “dur” (duration).

    <svg><a><rect width=100% height=100%><animate attributeName=width from=0 to=100% dur=2s>
    check here

    The interesting conclusion here is that we are in fact changing the original value of “width” attribute, in sequence. But what if we target a different attribute? Let’s take the href of the anchor (<a>) which is not set but is implicit. With some tweak in attributes and a self-closed <rect>, we are ready to go.

    <svg><a><rect width=100% height=100% /><animate attributeName=href to=//google.com>
    check here

    or

    <svg><a><rect width=100% height=100%><animate attributeName=href from=//google.com to=?>
    check here

    By clicking in our rectangle now, we are redirected to Google’s website. So to pop an alert box, we will just try to change it to “javascript:alert(1)”.

    Not that easy. Even an attempt to fool Auditor using HTML encoding gets blocked.

    <svg><a><rect width=100% height=100% /><animate attributeName=href to=javas&#99ript:alert(1)>
    check here

    We get back to SVG Attribute Reference and find an interesting alternative to “from” and “to”: animation elements can also use a “values” attribute which provides the same set of values for the animation.

    By simply setting “values” to “javascript:alert(1)” we get blocked again. But, surprisingly, this time we pop an alert using the HTML encoded form, “javas&#99ript:alert(1)”. Strange enough, any other arbitrary attribute with our obfuscated payload will fire a blocking but that one seems “whitelisted”!

    We change the <rect> for an <image> tag, more suitable to attract a victim’s click. A little addition of text/markup and… Boom!

    <svg width=12cm height=9cm><a><image href=//brutelogic.com.br/yt.jpg /><animate attributeName=href values=javas&#99ript:alert(1)>

    check here

    This bypass was found in version 51, although it might work in several past versions. It currently works on Google Chrome v60, the latest version at the time of this publication.

    #hack2learn

    转自:https://brutelogic.com.br/blog/chrome-xss-auditor-svg-bypass/

    总会有不期而遇的温暖. 和生生不息的希望。
  • 相关阅读:
    pytest扫盲21--pytest-assume多重效验插件
    pytest扫盲20--HTML报告
    pytest扫盲19--pytest重运行机制
    pytest扫盲18--配置文件pytest.ini
    pytest扫盲17--自定义命令行参数
    pytest扫盲16--某个用例失败后,关联的用例标记为xfail
    pytest扫盲15--skip跳过用例
    pytest扫盲14--pytest.raises()函数文档及在参数化中处理异常
    pytest扫盲13--遇到异常的两种处理方式及断言异常
    【CF】CF1430_G Yet Another DAG Problem_最小割/网络流/状压dp
  • 原文地址:https://www.cnblogs.com/devi1/p/13486410.html
Copyright © 2011-2022 走看看