If your web application displays image files submitted by an external party, you should take special care about how you handle “image/svg+xml”. SVG image files can contain CSS and more importantly, JavaScript. I didn’t realise this until very recently when I read about an SVG vulnerability in GMail (now fixed). The fact that you can execute JavaScript from inside an image file presents an unexpected vector for XSS attacks.
An SVG file is basically a chunk of text in XML format which describes an image. Here is a simple example of a 50x50 pixel green triangle:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
</svg>
If you’re using a browser which supports SVG, ie pretty much any recent version of a modern browser other than IE, here is what the above XML looks like when the browser renders it:
Inside the above XML, you could use script tags in exactly the same way you would with HTML. Eg:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('This app is probably vulnerable to XSS attacks!');
</script>
</svg>
Fortunately, it is not possible to display an SVG by using a simple HTML tag. You have to use an iframe, or the embed or object tags.
Workarounds?
Don’t allow SVG
Allow SVG submissions but don’t display them, just allow them to be downloaded
Strip out dangerous stuff from the SVG before displaying. (Be careful to catch everything)
Convert to a different image format before displaying, eg PNG or JPEG.
I have updated the Email Privacy Tester with my new found SVG knowledge. Basically, an SVG file is attached to the email and displayed inline in the email (if supported). It contains some CSS and JavaScript which is intended to trigger network traffic and pop up an alert. I’m guessing there is at least one webmail implementation out there which is susceptible.
Want to leave a tip?You can follow this Blog using RSS or Mastodon. To read more, visit my blog index.