Hey! I hope you enjoy this post. As usual, you can contact me at any of the following:


How I managed to get stored XSS on Skype due to people not understanding the risks and danger of free-form XML

  • Target: Skype
  • Vulnerability: Stored XSS
  • Severity: 7
  • Status: Patched
  • Bounty (if applicable): Hall of Fame & a year of Visual Studio Enterprise ($2,999/yr)

Hey! Welcome to my latest blog post, titled "How I managed to get stored XSS on Skype due to people not understanding the risks and danger of free-form XML". In this post I will tell you how both organisations, and individuals underestimate and/or defraud the risks and dangers involved with free-form XML, and a demonstration of this on community.skype.com.

In this specific post, I will be talking about how I abused cross-site scripting vulnerabilities via SVG files. SVG (Scalable Vector Graphics) is an XML-based image vector format for 2D graphics - SVG images are defined in XML files. Most, if not all, common & major browsers being used now-a-days support SVG rendering. XML's ancestor, SGML, required all elements and attributes to be documented with declarations in the document type definition - SVG gets rid of this by allowing free-form XML. With free-form XML, a document has hardly any syntax rules to follow. In free-form XML, you can choose the name of any element - it doesn't have to be some sort of vocabularly like in HTML.

With this being said, people serve these files as plain images, or animations - and quite frankly, this is disastrous. Since image files are complex and need to be parsed and rendered before they can be displayed by a browser, it comes as no surprise that the images can have security implications.

Being historically an XML-based language, processing of SVG documents has been quite different from the way browsers process their classic HTML websites. For instance, a slight violation of the XML syntax, such as missing closing tags or attribute value quotations, typically can cause SVG processors to exit with an error. However with the intergration of SVG capabilities into modern browsers, this strict parsing approach got amalgamated with their more tolerant way of processing HTML, CSS and JavaScript.

When uploading an SVG file, you can easily bypass validation filters & upload a SVG containing JavaScript - this is due to blacklist-based filter approaches for XSS; but this is useless with a missing MIME type.

I don't really know why I typed all that out - it's old news to most people and it's fairly common now-a-days - however, that doesn't stop huge organisations and such, overlooking it.

This said, here is a demonstration performed on community.skype.com, showing a stored XSS I performed by uploading an SVG file, containing the following:

<svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink">
    <script>
            prompt('DALEY_BEE_FEB_2017')
    </script>
</svg>

Community.Skype.com:

tl/dr; I managed to get stored XSS on community.skype.com due to people not understanding what exactly you can put inside them, and how they're handled in browsers. The main risk was the ability to take over community moderator accounts via cookie stealing.

I'm aware I rambled on about a lot of crap that is unrelated - but oh well.

Disclosure timeline

  • 2/26/2017 - Reported to Microsoft Security Response Center
  • 2/27/2017 - Vulnerability verified & case number assigned
  • 4/21/2017 - Vulnerability patched & case closed
  • 4/21/2017 - Contacted by Microsoft regarding Visual Studio Enterprise Subscription & MSDN
  • 5/21/2017 - MSDN & Visual Studio subscription code arrive