Stored XSS using SVG

Cyber Security Python Web Development

English (Auto-generated)

Hello everyone it is i has. And today we're going to talk about stored cross site scripting with S V G. So just to give some context S V G is something vector graphics. It's a if you look at the code we have profile photo dot SvG. It's basically a way for defining images using this xml format where you can kind of draw the image using xml. And we are going to load it using python. I have a little note here in app dot pi for myself. Just the mime type because otherwise I always forget it. Mhm. Um First we're gonna import send file. So basically we're gonna imagine this is like a profile file, profile photo, right? And we're using dot pi to serve these profile photos. So let's see what that would look like. So let's just try sending the file just in a junior death kind of way that is to say naively. So we're gonna send the profile photo dot svg. Okay. And we're also gonna add a note that the mime type is image slash S V G plus xml. Beautiful. Alright, let's try it out. So I'm going to run this flask run and I'll load it up here in my browser in dc. We load an image uh defined with SPG but what a lot of people don't know or rather what not a lot of people know is that S V G can actually run arbitrary code right here inside of the victim's browser. You just have a script tag mm hmm. We can do whatever we want in here. So we can say like alert, you've been hacked L M G and it should work. So let's try. So that's our junior dev implementing that. And now we're gonna hack it, we're gonna load it up and oh my gosh, no, we've been hexed. Okay, well that's bad. Right. Um, the good news is that there's a lot of things you can do about this. So in order for this to work, the server has to explicitly say that the mind type is SVG with xML, which is to be fair, the correct, strictly speaking, the correct mime type. So if we look at the header four, sorry, I just realized it's not loading it separately. So come, it's not even letting him, I don't know. I don't know asking about it. Let's see. We have file name, it's in line. Let me inspect it. Okay. And let me try looking at the mind. This is a little different, like little different than what you'd normally expect because we are sending a mind type. But so we're just, we're just saying it's a profile photo or sorry, profile. We're saying it's a profile photo. Yes. So it doesn't appear as an http header. Let's look at this. Let's look at the raw header, right? Content, this position. It's pretty interesting. I'm gonna try this with Net Cat because now I'm getting curious. I do some basic, I do some basic preparation before each video. I hadn't thought I was gonna actually try to look forward to doing this det slash http one. Okay, Okay, let's see what it says. Yeah, So we say that we have there it is. Content, Sorry, I was looking for man type. Its content type is the name of the actual header and we see that its image S V G plus xml and that one is not like chrome doesn't show that one, but it actually is there. And that's why sometimes when you're trying to reverse engineer these things or just figure out what's going on, you want to use a lower level tool. But yeah, we see that we have the content type header and that's what this depends on it being defined that way. Um and the thing is most because people became aware of this hack, most, most software providers will by default, if they see something as an spg, they'll load it in a way that won't be vulnerable basically. Right? Like they'll load it in a way where it will be loaded as a PNG or it's basically anything else. Let's do the default. Okay, so the default and the default in flask is apparently to just totally be insecure. Yeah, so I didn't even have to Sorry, I thought I had to put that my impact therapy. I thought that flask would be smart enough to escape it. But no flask is actually pretty insecure in that regard. If you give it an spg, it loads the S V G. Just as is I wonder it makes me just think that we could probably do some get hugged working to try to find S. V. G. S that are loaded. Like insecurely like situations where we load an image using send file but usually web frameworks have some kind of security in place for this because I mean it's just like it's just that easy so usually they'll be sent as a PNG. Um and then this won't this won't be a risk so we can get like mind type brothers are gonna be easier to fix. So we're in our senior death moment where we're gonna fix it up. I'm just going to PNG mind type. Yeah we load it as a PNG and application PNG sounds sounds that hits me. Let's see what happens. I don't know what, I don't know what I'm doing right now. Okay. I made it download it. Mhm. That's interesting I guess that works and then it still says you've been axed. Beautiful. Beautiful. So I believe what we're supposed to do, python SVG to PNG. I'm pretty sure this is what we're supposed to do. Sorry, I'm so unprepared but this is fun because you kind of get to see how how the process really works. Right okay. It looks like we have this library here that we're gonna have to pick installed. Yeah. Very well let's let's install that. So I'm gonna start with dependency. I wrote three G. And we'll import it here while it's loading. Let's just go ahead and there we go. It's all that we have Cairo refugee and now we're probably gonna have to load up this file. Yes, we will. Okay, cool. So we just read the file. So we'll start with open, let's get the final name in there. And this was fun. This was very Wild West. I thought I had this, I've always done this from an offensive perspective. So usually I'm hacking like uh doing bug bounties or pen test or something like that spG file. So I'm not used to doing it from this perspective, it's a little different. The Bluefin side of things. Right? I thought they had it so easy, you know, this is just super secure by default but turns out their lives are hard to, who would have thought so let's say that the content or something else called the S P G C S V V equals svg file dot read and now we can actually escape it. So we'll convert it into a PNG mm hmm, just copy exactly what they're doing. You know, it's a spg code because that's the way they put it so and it'll right to sPG outputs, I'll say S V G output and now that will be the file will serve, which will be a PNG and therefore hopefully secure. And I'm gonna get rid of this mind type thing entirely. So still have a job very well, we'll go over here and load it up and look at that. We're not being hacked anymore. Who are? Senior developer was able to do it using the power of stack overflow. Yeah, that was more of like a junior to mid level, just something I've never had to do on the uh, on the defensive side. So that was, that was a little educational for me too. Ladies and gentlemen, how fun. Thanks a lot. I think you kind of get the idea now that you have Suggs. Suggs can run code. That's bad and we basically want to prevent that. Okay. You can prevent it by setting the headers to load a certain way, but that's still kind of dangerous because if they open it later, it's still going to have the malicious stuff in it. I mean there's, there's times where that's kind of almost okay, right. Like if you're just loading the image and a profile, at least having the headers set the PNG will make it not hack the person. But yeah, you can see that the real thing you want to do is convert it to something else, that you can just get rid of that code because even if you think you're escaping it, the fact that it's still in there, someone's gonna download it or hot link it or do something, you're not expecting hot load and uh and it's all bad because you'll just be hacking people allowing people to hack others in any case. And most likely your site as well, even though you don't think so. So this is what you can do when you have to handle PNG s a more common thing, like you guys are on code cast, right? So if you're on code cast and you try to upload an SPg, I think it just doesn't allow you. It's like, you know, Suggs, um allow PNG and other things. You can just disallow it. That's like the normal approach. I would recommend you just disallow it. If not, you can convert it to a PNG if you don't mind the performance hit. It's not the most efficient thing in the world, but there you go. How fun was that? One of my favorite ex ss attack vectors. So it's great talking to you all as always. And we shall meet again with the next vulnerability. Thanks a lot. Bye bye.
268 Views 1 Likes 1 Comments

SVG is a popular image format. But many users don't know that it can run arbitrary JS code in the browser

Leave a comment (supports markdown format)
@amy 2 years ago

“Something” Vector Graphics 😆