Nice one.
I thought behaviors like these were already fixed, but
I was wrong :D
Certainly something to add to BeEF.
Pity I will not be at HITB.
Cheers
antisnatchor
On Wed, May 16, 2012 at 6:29 PM, Nicolas Grégoire
wrote:
>
>> Uploading a SVG chameleon (SVG file triggering a XSLT
>> transformatio
> Uploading a SVG chameleon (SVG file triggering a XSLT
> transformation) to a website allows to display nearly arbitrary
> content if the file is called directly.
In order to demonstrate this point _and_ the weird Opera behavior, I put
online a SVG chameleon and a HTML file calling it via :
http
Kind of. You can still do some stuff from in Opera.
http://kotowicz.net/opera/
On Wed, May 16, 2012 at 12:25 PM, Dan Kaminsky wrote:
> Anything from in any browser?
>
>
> On Wed, May 16, 2012 at 2:25 AM, Michele Orru
> wrote:
>>
>> Mario Heiderich did a lot of research on that, he found so man
> Probably the most interesting SVG thing is how they either do or don't
> have script access, depending on whether or not they're loaded as
> 's.
Agreed. Uploading a SVG chameleon (SVG file triggering a XSLT
transformation) to a website allows to display nearly arbitrary content
if the file is ca
Anything from in any browser?
On Wed, May 16, 2012 at 2:25 AM, Michele Orru wrote:
> Mario Heiderich did a lot of research on that, he found so many bugs
> that allowed
> to embed Javascript in SVG images.
>
> Nice stuff Nick btw,
>
> Cheers
> antisnatchor
>
> On Wed, May 16, 2012 at 10:13 AM, D
Mario Heiderich did a lot of research on that, he found so many bugs
that allowed
to embed Javascript in SVG images.
Nice stuff Nick btw,
Cheers
antisnatchor
On Wed, May 16, 2012 at 10:13 AM, Dan Kaminsky wrote:
> Yeah, there's a bunch of wild stuff in SVG. The browsers ignore most of it,
> AF
Yeah, there's a bunch of wild stuff in SVG. The browsers ignore most of
it, AFAIK. I think Firefox is the only browser to even consider
ForeignObjects (which let you throw HTML back into SVG).
Probably the most interesting SVG thing is how they either do or don't have
script access, depending on
Hello,
SVG is a XML-based file format for static or animated images. Some SVG
specifications (like SVG 1.1 and SVG Tiny 1.2) allow to trigger some
Java code when the SVG file is opened.
Given that I had to look at these features for a customer, I developed
some PoC codes which are now available