Changes for page Homoiconicity

Summary

• Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

...	...	@@ -9,12 +9,11 @@
9	9
10	10
11	11
12		-
13	13	== Triggering embedded code ==
14	14
15	15	In some contexts (like browsers), XSLT code execution can be triggered while a XML document is parsed, via a xsl:stylesheet tag. The executed XSLT code can be stored on the Internet or in the XML document itself (homoiconicity + self-reference trick). A [[blog post>>http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.html||rel="__blank"]] by Chris Evans describes a pseudo SVG file triggering a simple RAM DoS . But we can do better ;-)
16	16
17		-== Simple dynamic SVG images ==
	16	+== Exploiting via dynamic SVG images ==
18	18
19	19	We can create XML files which will be interpreted by browsers like perfectly valid self-contained dynamic SVG images. The SVG file is then generated on the fly by the (Turing complete) XSLT engine of the browser.
20	20
...	...	@@ -21,10 +21,15 @@
21	21	In the following example, the XSLT code will :
22	22
23	23	* fingerprint the underlying XSLT engine
24		-* draw a circle (red if Webkit, green, otherwise)
	23	+* draw a circle (red if Webkit, green otherwise)
	24	+* try to exploit CVE-2011-
25	25
26		-[[image:svg-webkit-small.png||style="float: right"]]
	26	+In Opera :
	27	+[[image:svg-opera-small.png||style="display: block; margin-left: auto; margin-right: auto"]]
27	27
	29	+In Epiphany :
	30	+[[image:svg-webkit-small.png||style="display: block; margin-left: auto; margin-right: auto"]]
	31	+
28	28	== Evil SVG images ==
29	29
30	30	Exploitcolor depends of the OS, ...) and exploit a specific vulnerability. This was demonstrated with[[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank" title="CVE-2011-1774"]] and a Webkit exploit tested on Windows, Linux, iOS and webOS.