The Image that called me
Active Content Injection with SVG Files
A presentation by Mario Heiderich, 2011
Introduction
●
Mario Heiderich
●
Researcher and PhD student at the RuhrUniversity, Bochum
●
Security Researcher for Microsoft, Redmond
●
Security Consultant for XING AG, Hamburg
●
Published author and international speaker
●
HTML5 Security Cheatsheet / H5SC
●
PHPIDS Project
Today
●
●
SVGs and the modern web
●
What are SVGs?
●
What are they capable of?
●
Which browsers “understand” SVG?
●
Why there are conflicted areas?
And what does that have to do with
security?
SVG Images
●
Scalable Vector Graphics
●
XML based, therefore
●
Versatile
●
Accessible
●
Compressible
●
“Stylable” w. CSS
●
Open
●
Great for mobile devices
●
Easy to parse and process
●
Ancient format, older than 10 years
●
Relations to HTML5, the living standard
SVG History
●
Proposed by several W3C members in 1998
●
Derived from Adobe Postscript and VML
●
Developed in 1999
●
Currently at version 1.1
●
●
Version 1.2 still a working draft
●
Might be overtaken by SVG 2.0
Good browser support
●
Gecko, Webkit, Presto, and Trident
Basic Example
SVG Family
●
●
●
SVG Tiny 1.2
●
Designed for cellphones and smart-phones
●
47 Tags
SVG Basic 1.1
●
Designed for handhelds, tablets and net-books
●
71 tags
SVG Full 1.1
●
Full feature set
●
81 tags
Features
●
Geometrical shapes
●
Circles, ellipses, squares, lines and more
●
SVG fonts
●
Font specific formatting and glyph styles
●
Links
●
Animations and Transformations
●
Gradients and Effects
●
Meta-data
●
Scripting and Events
●
Inclusion of arbitrary objects
SVG in Action
Scripting
●
The following SVG executes JavaScript
●
More examples?
More Scripting
Deploying SVGs
●
●
Several ways of deploying SVGs,
implemented by modern browsers
Five important ones are:
●
Opening the file directly
●
Deployment via