Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

XSS when loading untrusted SVG using img tag

Does the threat of XSS exists when loading an untrusted SVG file using the img tag?

As in: <img src="untrusted.svg"/>

I've read that most browsers disable scripts in svg files loaded via the img tag.

like image 805
Bas van Dijk Avatar asked Oct 27 '11 14:10

Bas van Dijk


People also ask

Can I use IMG tag for SVG?

The quick way: img elementTo embed an SVG via an <img> element, you just need to reference it in the src attribute as you'd expect. You will need a height or a width attribute (or both if your SVG has no inherent aspect ratio). If you have not already done so, please read Images in HTML.

Can SVG be malicious?

SVG files can also contain embedded JavaScript (JS) code, a potential vulnerability. For example, an infected SVG file can redirect users to a malicious website disguised as a reputable one. These sites often prompt users to install spyware disguised as a browser plugin or, ironically, a virus detection program.

What is SVG XSS?

Cross site scripting(XSS) is a very common bug which involves injecting javascript code in web pages. This vulnerability can be used to do all kinds of things from stealing users cookies to bypassing SOP via CORS. There are numerous ways to locate XSS vulnerabilities, SVG files are normally overlooked.

What is SVG injection?

SVGInject. A tiny, intuitive, robust, caching solution for injecting SVG files inline into the DOM. Developed and maintained by INCORS, the creators of iconfu.com.


Video Answer


1 Answers

This used to work in some browsers, but not anymore. However there is a related issue. If I as a unknowing user, right click and download the image, and then open it locally, it will likely open in the browser and the script will run. Which is a bit weird considering it's an image. I suppose if you right click and select "view image" that could also cause the script to run, because you open it diretly.

like image 145
Erlend Avatar answered Sep 19 '22 23:09

Erlend