12-03-2019 / From 0 to pentesting hero

XSS using SVG file

The functionality of file upload is a key place where we should pay special attention to.

If the attacker successfully sends and executes a malicious file, the whole server may be taken over.

In today's episode of "from 0 to pentesting hero" I'm going to show you what kind of files we should be given a special attention.

The form for uploading a file can be implemented in any programming language.

I will use here the code from the official Flask1 documentation.

from flask import Flask,request, redirect, url_for, send_from_directory
from werkzeug.utils import secure_filename
import os
UPLOAD_FOLDER = './files'
ALLOWED_EXTENSIONS = set(['pdf', 'png', 'jpg', 'svg', 'swf', 'jpeg', 'gif'])
app = Flask(__name__)
app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
def allowed_file(filename):
    return '.' in filename and \
           filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
@app.route('/', methods=['GET', 'POST'])
def upload_file():
    if request.method == 'POST':
        file = request.files['file']
        if file and allowed_file(file.filename):
            filename = secure_filename(file.filename)
            file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
            return redirect(url_for('uploaded_file', filename=filename))
    return '''
    <form method=post enctype=multipart/form-data>
      <input type=file name=file>
      <input type=submit value=Upload>
    </form>
    '''
@app.route('/uploads/<filename>')
def uploaded_file(filename):
    return send_from_directory(app.config['UPLOAD_FOLDER'], filename)

Let me describe briefly what the given code does.

At the beginning, we define the folder to which the transferred files are to be copied, as well as the list of extensions we allow.

The allowed_file function is responsible for checking if the sent file is on the list of allowed extensions.

Then we have the function upload_file, responsible for saving the correct file in the appropriate directory.

At the end, the uploaded_file function displays the file specified in the parameter.

In the documentation we can read, that to protect ourselves against XSS attacks or the execution of JavaScript code on our site, we should not allow html and php files.

But what other extensions can cause trouble?

It's been a while since Flash is past its prime. However, there are still browsers that allow you to display the swf files.

Most users probably associate flash with simple minigames popular a few years ago2.

However, it has access to a large part of the browser's functionality - including the execution of javascript code.

So if we allow user to upload and display swf files in the browser, we must take into account the consequences.

Let's look at an example. I will use the xss.swf3 file that has been prepared to execute such attacks.

I will send this file using Internet Explorer.

As you can see, after sending the file - a window appeared.

By modifying the parameter in the link - we can display our own code.

For example, using the eval parameter.

xss.swf?a=eval&c=alert(document.domain)

You can ask yourself now: how popular is the vulnerability?

I will show you some examples.

Some time ago, in the standard configuration for uploading swf files, it was possible to use DokuWiki4, a simple alternative for wikipedia.

A similar situation with WordPress5 - one of the largest blog systems in the world.

In the past, swf files were also used to make it possible to copy a text from the site6.

In the past, browsers did not have this feature built-in natively.

So on many websites, in the depths of forgotten files on the server you can find some swf files.

Here is an example of a list of components that have been in the past or are still vulnerable to this type of attack7.

The second less common extension is svg - that is, the format of vector graphics not covered by licenses and patents, which was created to be used on websites.

In addition to graphics, this format may also contain javascript code.

An article about this subject has been published, among others, by a Sekurak8. On the site you can find a prepared file that you can use.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('This app is probably vulnerable to XSS attacks!');
</script>
</svg>