Homoiconicity
Definition
Homoiconicity is the property of a programming language that the code and the data are stored in the same format. For example, the following languages are homoiconics :
- ASM : using bytes stored in memory
- Lisp : using lists and theirs sub-types
- XSLT : using the XML format
Triggering embedded code
In some contexts (like browsers), XSLT code execution can be triggered while a XML document is parsed, via a xsl:stylesheet tag. The executed XSLT code can be stored on the Internet or in the XML document itself (homoiconicity + self-reference trick). A blog post by Chris Evans describes a pseudo SVG file triggering a simple RAM DoS . But we can do better ;-)
Simple dynamic SVG images
We can create XML files which will be interpreted by browsers like perfectly valid self-contained dynamic SVG images. The SVG file is then generated on the fly by the (Turing complete) XSLT engine of the browser.
In the following example, the XSLT code will :
- fingerprint the underlying XSLT engine
- draw a circle (red if Webkit, green, otherwise)
Evil SVG images
Exploitcolor depends of the OS, ...) and exploit a specific vulnerability. This was demonstrated withCVE-2011-1774 and a Webkit exploit tested on Windows, Linux, iOS and webOS.
From a security point of view, it is important to audit
As the SVG format is valid XML too, t
The process is the following :
- The source XML file (do not