Fun Times with SVGs and DOM Based XSS

By Julian Berton

​

Julian Berton

• Years of web development experience
• Currently working at Securus Global as a security consultant
• OWASP Melbourne chapter lead

​

Contact

• meetup.com/Application-Security-OWASP-Melbourne/
• @JulianBerton (Twitter - not very active)

​

In 6 minutes...

• Banks have vulnerabilities too
• Manual testing is important
• DOM Based XSS hiding in plugins
• WAFs are annoying but don’t always work
• Encoded SVG inside SVG FTW
• Oh wait… URL Hash fragments….

​

localhost:4000/apply_thankyou?uuid=d77a9190-4ace-11e4-b775-bd2f6eee9714&result=HC999|SUCCESS

​

URL of Thankyou Page

localhost:4000/apply_thankyou?

uuid= d77a9190-4ace-11e4-b775-bd2f6eee9714 &

result= HC999 | SUCCESS

​

& result = HC999 | SUCCESS

​

XSS (Reflected and stored )

• Return user input into the HTML response either immediately or sometime later on without output encoding or sanitization.

​

DOM based XSS

• Does not send user input in the HTML response
• Attacks don’t need to go through the server to be exploitable.
• Normally found in the URL parameters or referrer header

DOM based XSS (cond)

JavaScript parses the URL using one of the following DOM methods

• document.URL
• document.URLUnencoded
• document.location
• document.referrer
• window.location

Exploiting

Web Application Firewall

Filtering strings such as:

• Script, iframe and object tags
• All event handlers such as onblur, onload, onclick, etc
• The data attribute
• The JavaScript keyword
• And many more!

​

​

Data URI

• Embed small items of data into a URL—rather than link to an external resource, the URL contains the actual encoded data.

The Easy Way….

localhost:4000/apply_thankyou?

uuid=d77a9190-4ace-11e4-b775-bd2f6eee9714 &

result= HC999 | SUCCESS

​

localhost:4000/apply_thankyou#

uuid=d77a9190-4ace-11e4-b775-bd2f6eee9714 &

result= HC999<script>alert(‘xss’)</script> | SUCCESS

​

More Info

Blog post coming soon!