Minitip - Stored XSS through SVG

Categories: minitips   vulnerabilities

The button below will write the following SVG image to the page (remember: SVG files are just code):

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
  <circle cx="50" cy="50" r="48" fill="none" stroke="#000"/>
  <path d="M50,2a48,48 0 1 1 0,96a24 24 0 1 1 0-48a24 24 0 1 0 0-48"/>
  <circle cx="50" cy="26" r="6"/>
  <circle cx="50" cy="74" r="6" fill="#FFF"/>
  ***<script>alert("XSS through SVG");</script>***
</svg>


Which when loaded will trigger the XSS payload marked above. Any SVG file can contain javascript code, but to execute it you have to be able to access the file directly via either writing it to the page or visiting the SVG file directly. Linking it in an e.g. img tag will not work.

A SVG file with the code mentioned above is hosted here if you want to see for yourself that it executes the payload: XSS through SVG