Stored XSS in SVG files.

Summary

Cross-site Scripting (XSS) is a security headache for all web application developers. In this type of vulnerability, attackers will somehow inject malicious JavaScript code, or “scripts,” into a benign web app. If the attacker can successfully embed the script, then the script will have access important user information. When a victim visits said web app, the malicious script can steal a user’s cookies or other account credentials. Recently, an XSS vulnerability was found in TikTok by HackerOne user sinayeganeh , which was awarded a medium level severity and received a bug bounty of $2500!

The traditional example of XSS is testing an input field and adding the following payload:

<script> alert(“TEST”); </script>

If an alert box pops up saying “TEST,” then XSS is possible. The script could be replaced with a much more dangerous script that sends the visitor’s session document.cookie to the hacker. Many modern web frameworks have some sort of defense against easy-to-find XSS attacks, but hackers keep coming up with interesting ways to bypass these filters. Ismail Tasdelen has compiled a pretty awesome list of payloads to test for XSS on Github, and @XssPayloads consistently tweets out newly discovered payloads.

SVG Payload

Scalable vector graphics, or svg, are “an XML-based markup language for describing two-dimensional based vector graphics” (source: Mozilla). This means it is a different way to represent images, as opposed to the standard jpg or png. It is more common for developers to protect against XSS contained in <img> tags, but <svg> tags also support JS code!

Essentially, this form of XSS payload is the same as a standard <img> payload, but the goal is that the standard defense mechanisms will not register this as a payload.

Hacker group Ghostlulz has put together a good article explaining the details of how to put together a solid payload for SVG files. I’ll include a payload they highlighted as an example, which would pop an alert box with text “Ghostlulz XSS” if the web app allowed uploads of SVG files and was vulnerable to XSS.

<?xml version="1.0" standalone="no"?> 
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">    
    <rect width="300" height="100" style="fill:rgb(0,0,255); stroke-width:3;stroke:rgb(0,0,0)" />    
    <script type="text/javascript"> 
        alert("Ghostlulz XSS");    
    </script> 
</svg>

TikTok Exploit

HackerOne user sinayeganeh recently found an XSS vulnerability in TikTok .

As stated in the summary, there was a vulnerable endpoint on TikTok Ads that allowed for an SVG upload containing an XSS payload. TikTok generally does not provide more information on the disclosed vulnerability than the summary, but this was given a rating of 6.5, which is a Medium severity level.

Great find by sinayeganeh , and congrats on your $2500 bug bounty!

Want to Connect? Please consider contacting me at [email protected] following me on Medium, buying me a coffee, following me on twitter, or connecting with me on LinkedIn!