XSS via HTML5 Events All over again

Back in 2018 I wrote a post about finding and exploiting XSS using the new(ish) event handlers in HTML 5. Those techniques paid out recently and I thought I’d write up the situation.

Using the lists provided in the earlier post I discovered the application allowed an “SVG” tag. Within that tag it allowed the “onmouseenter” event handler which is a useful one. This was not a classic XSS pop pop where the payload executes without user interaction. But it would pop pop with a relatively likely movement of the mouse over the image.

The target disallowed certain characters and appeared to have a blacklist approach for items such as “alert” etc. The solution to my problem that day was to base64 encode the payload, use “atob” to decode it, and then “eval” to execute it as listed below.

Raw Payload

alert(document.domain);

Base64 Encoded

YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=

Final Payload

<svg viewBox='0 0 100 100' onmouseenter=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs='))></svg> 

Nothing Earth shattering in this but until you put stuff out there you never know who that will save time for when they are googling for “XSS SVG tag” or something like that. Welcome weary traveller. I know there is lots of SVG related XSS shenanigans to be had but if you wanted a file to upload you would be elsewhere!

Hope that helps.

1 thought on “XSS via HTML5 Events All over again”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.