XXE Injection through SVG upload leads to SSRF

Updated: Apr 22



Hello everyone, in this blog I will describe how I was able to find XXE that leads to SSRF via a file upload. I found this vulnerability in the profile picture upload as well as in the CV upload functionality of an application,

So I was testing in the application and I saw file upload functionality I uploaded a random picture and intercepted it in Burp, I looked at the POST request to upload my image,


I replaced it with an SVG and Content-Type to image/svg+xml, to see if the server would accept it, I got the same 201 created response from the server and the path where the SVG image was saved, Which means It was possible to upload SVG images as a profile picture, the server would parse the SVG and upload it to my profile. Through this, I explored more and found that this functionality was also vulnerable to an XXE attack, where I could define my own entities, and the server would parse them

After knowing it I used this malicious SVG Image:

( or directly upload the SVG file by saving it in notepad with .svg extension )



<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"> 
<image height="300" width="300" 
xlink:href="https://ANY_SERVER/image.png"/>
</svg>

Whatever image URL is inside href, will be uploaded as the SVG image whether it is any internal image URL or external URL. Through this, I gained blind SSRF to any URL on the internet with image extension endpoints. For example, If I put the Burp collaborator link in it I will get a pingback, So by clicking on the profile picture we will get the image whose link we have given in the href or will get a pingback

Tried for XSS too, following the same steps, I used this payload


<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('XSS \n'+document.domain');
   </script>
</svg>


And now by clicking on the profile picture I got stored XSS :)

I hope you find it informative. peace!


1,295 views2 comments

Recent Posts

See All