improved XXE SVG payloads to be valid XMLs

[gregxsunday]

Hi,

while testing for XXEs in SVG I needed to make some changes so that the payloads are treated as valid XMLs. I thought it's worth doing a pr so that nobody misses an XXE because of lack of required attribute.

I fixed 2 things actually:

image tag for XXE inside SVG

I was validating my payloads here and when you use Validate by Direct Input, choose SVG 1.1 DOCTYPE and paste

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
    <image xlink:href="expect://ls"></image>
</svg>

There are 2 errors:

Line 2, Column 36: required attribute "width" not specified
<image xlink:href="expect://ls"></image>
The attribute given above is required for an element that you've used, but you have omitted it

and the same for height.

Thus I added them to the XXE SVG payload.

xml tag in OOB via SVG rasterization

I added XML tag as without it my payload was causing exceptions. On the aforementioned validator it's still not considered valid, but adding it made the payload work in my case.

Both fixes made my XXE work during the pentest and those payloads didn't work without them.