Dangers of SVG and the img tag

09 Mar 2011

At this week’s meeting at OWASP Sweden, security researcher Mario Heiderich held a presentation about the security implications of SVG support in modern web browsers.

SVG (Scalable Vector Graphics) is based on XML and is typically considered an image format, just like JPEG or PNG, only that it is based on vector graphics instead of bitmaps. But there is a big difference: SVG files can contain code. The code is in JavaScript and may be in <script> tags or otherwise embedded in the SVG.

The immediate danger of this is that any site that allows a user to upload or link to an image may be open for cross site scripting attacks. For example, an attacker can upload an SVG file to Wikipedia and have its code executed in an unsuspecting victim’s browser. Or an attacker can just post a link to an SVG image on a forum. If the forum software links to images with the <img> tag, the users’ browsers will load the SVG and possibly execute the code. (Security measures have been added to avoid this, but according to Mario Heiderich they are easy to circumvent.)

My main takeaway from the presentation was that the <img> tag is not as harmless as it may seem after SVG support was added. You need to be careful with it!

Added March 11th: Here is Mario’s presentation about SVG. He also held a presentation about protecting against XSS with Object.defineProperty.

blog comments powered by Disqus