A few days ago I read the blog of Romain Gaucher and came across a very simple way of execute Javascript. He wrote there about how to inject a Javascript into an SVG image. It’s not a new technique at all because the SVG format is nothing else then XML and there you can use CDATA for injecting HTML or something else into it and so you can do the same with SVG images. The point is, that until now I never saw that someone did exactly this kind of injection because the main problem we normally have if we do a XML injection is, that we need a functionality which can parse the XML file so that the injected script code can be executed but that’s exactly what happened with SVG images in the webbrowser and so we can use this form to execute our code.
PS: Of course you’ll need a browser which supports the SVG format, like Firefox.
Thinking of this, I tried an variant with SVG and the embed tag:
http://rgaucher.info/b/index.php/post/2007/02/16/The-return-of-the-SVG-XSS
Cool stuff
It’s funny how fast the Internet could be if someone (re-)start to talk about something, for example now also RSnake wrote a blog posting about it (http://ha.ckers.org/blog/20070216/embeding-svg-that-contains-xss-using-base64-encoding-in-firefox/) and also added this vector to the XSS Cheat Sheet (http://ha.ckers.org/xss.html#XSS_Embed_SVG).
Well, actually once i found this vector, I sent it to RSnake