https://netsec.expert/categories/minitips/ Recent content in minitips on Sam's Hacking Wonderland Hugo -- gohugo.io en the@netsec.expert (Sam Anttila) the@netsec.expert (Sam Anttila) ©{year} Thu, 09 Jan 2020 12:00:00 +0000 weekly https://netsec.expert/posts/xss-through-svg/ Thu, 09 Jan 2020 12:00:00 +0000 the@netsec.expert (Sam Anttila) Thu, 09 Jan 2020 12:00:00 +0000 https://netsec.expert/posts/xss-through-svg/ The button below will write the following SVG image to the page (remember: SVG files are just code): alert("XSS through SVG"); "');"Load SVG file 1 2 3 4 5 6 7 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"> <circle cx="50" cy="50" r="48" fill="none" stroke="#000"/> <path d="M50,2a48,48 0 1 1 0,96a24 24 0 1 1 0-48a24 24 0 1 0 0-48"/> <circle cx="50" cy="26" r="6"/> <circle cx="50" cy="74" r="6" fill="#FFF"/> ***<script>alert("XSS through SVG");</script>*** </svg> Which when loaded will trigger the XSS payload marked above. Sam Anttila minitips vulnerabilities