The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011 Introduction ● Mario Heiderich ● Researcher and PhD student at the RuhrUniversity, Bochum ● Security Researcher for Microsoft, Redmond ● Security Consultant for XING AG, Hamburg ● Published author and international speaker ● HTML5 Security Cheatsheet / H5SC ● PHPIDS Project Today ● ● SVGs and the modern web ● What are SVGs? ● What are they capable of? ● Which browsers “understand” SVG? ● Why there are conflicted areas? And what does that have to do with security? SVG Images ● Scalable Vector Graphics ● XML based, therefore ● Versatile ● Accessible ● Compressible ● “Stylable” w. CSS ● Open ● Great for mobile devices ● Easy to parse and process ● Ancient format, older than 10 years ● Relations to HTML5, the living standard SVG History ● Proposed by several W3C members in 1998 ● Derived from Adobe Postscript and VML ● Developed in 1999 ● Currently at version 1.1 ● ● Version 1.2 still a working draft ● Might be overtaken by SVG 2.0 Good browser support ● Gecko, Webkit, Presto, and Trident Basic Example SVG Family ● ● ● SVG Tiny 1.2 ● Designed for cellphones and smart-phones ● 47 Tags SVG Basic 1.1 ● Designed for handhelds, tablets and net-books ● 71 tags SVG Full 1.1 ● Full feature set ● 81 tags Features ● Geometrical shapes ● Circles, ellipses, squares, lines and more ● SVG fonts ● Font specific formatting and glyph styles ● Links ● Animations and Transformations ● Gradients and Effects ● Meta-data ● Scripting and Events ● Inclusion of arbitrary objects SVG in Action Scripting ● The following SVG executes JavaScript ● More examples? More Scripting alert(1) Deploying SVGs ● ● Several ways of deploying SVGs, implemented by modern browsers Five important ones are: ● Opening the file directly ● Deployment via or ● Deployment via or ● ● Deployment via CSS background/liststyle/content/cursor In-line SVG Security Boundaries ● SVG capabilities based on deployment method ● A model, based on expectations ● Heterogeneous implementations ● And a whole new world of bugs and vulnerabilities XSS ● SVGs deployed via and tag should not execute JavaScript ● Same goes for SVGs used via CSS ● Or SVG fonts ● SVGs deployed via