Back in 2018 I wrote a post about finding and exploiting XSS using the new(ish) event handlers in HTML 5. Those techniques paid out recently and I thought I’d write up the situation.
Using the lists provided in the earlier post I discovered the application allowed an “SVG” tag. Within that tag it allowed the “onmouseenter” event handler which is a useful one. This was not a classic XSS pop pop where the payload executes without user interaction. But it would pop pop with a relatively likely movement of the mouse over the image.
The target disallowed certain characters and appeared to have a blacklist approach for items such as “alert” etc. The solution to my problem that day was to base64 encode the payload, use “atob” to decode it, and then “eval” to execute it as listed below.
Raw Payload
alert(document.domain);
Base64 Encoded
YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=
Final Payload
<svg viewBox='0 0 100 100' onmouseenter=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs='))></svg>
Nothing Earth shattering in this but until you put stuff out there you never know who that will save time for when they are googling for “XSS SVG tag” or something like that. Welcome weary traveller. I know there is lots of SVG related XSS shenanigans to be had but if you wanted a file to upload you would be elsewhere!
Hope that helps.
cornerpirate.com 
1 Comment