Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mitra.social/objects/0188584c-bea8-4575-cc5e-a12bf2250ecb">silverpill (silverpill@mitra.social)'s status on Friday, 26-May-2023 22:51:06 JST</a><a href="https://mitra.social/users/silverpill" title="silverpill@mitra.social"><img src="https://gnusocial.jp/avatar/85321-48-20230105202807.webp" width="48" height="48" alt="silverpill" style="position: absolute; left: 0; top: 0;">silverpill</a><div><a href="https://gnusocial.jp/notice/3136264" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://varishangout.net/users/DarkMahesvara">@DarkMahesvara</a> This article demonstrates XSS attack with a SVG file: <a href="https://rietta.com/blog/svg-xss-injection-attacks/">https://rietta.com/blog/svg-xss-injection-attacks/</a>. If user opens attached SVG file with a malicious script, the script gets executed and it will have access to local storage under the same domain.</p><p>That being said, I don't know how one can perform this attack with plain JS file. Probably there was some additional step.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1590622#notice-3136351">In conversation</a><time datetime="2023-05-26T22:51:06+09:00" title="Friday, 26-May-2023 22:51:06 JST">Friday, 26-May-2023 22:51:06 JST</time> <span>from <span><a href="https://mitra.social/objects/0188584c-bea8-4575-cc5e-a12bf2250ecb" rel="external" title="Sent from mitra.social via ActivityPub">mitra.social</a></span></span><a href="https://mitra.social/objects/0188584c-bea8-4575-cc5e-a12bf2250ecb">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://rietta.com/blog/svg-xss-injection-attacks/">Cross-site Scripting Injection Attacks Using SVG Images</a></h5><div></div></header><div>Cross-Site Scripting attacks can come from a variety of vectors, this article is an explaination of an unusual vector where javascript is embedded within a scalable vector graphics image.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
silverpill (silverpill@mitra.social)'s status on Friday, 26-May-2023 22:51:06 JSTsilverpill
in reply to
- DarkMahesvara
@DarkMahesvara This article demonstrates XSS attack with a SVG file: https://rietta.com/blog/svg-xss-injection-attacks/. If user opens attached SVG file with a malicious script, the script gets executed and it will have access to local storage under the same domain.
That being said, I don't know how one can perform this attack with plain JS file. Probably there was some additional step.
In conversationFriday, 26-May-2023 22:51:06 JST from mitra.socialpermalink
Attachments
1. No result found on File_thumbnail lookup.
  Cross-site Scripting Injection Attacks Using SVG Images
  Cross-Site Scripting attacks can come from a variety of vectors, this article is an explaination of an unusual vector where javascript is embedded within a scalable vector graphics image.

Public

Embed Notice

HTML Code

Corresponding Notice