Crouching Tiger - Hidden Payload: Security Risks of Scalable Vectors Graphics

Mario Heiderich, Tilman Frosch, Meiko Jensen, Thorsten Holz

18th ACM Conference on Computer and Communications Security (CCS), Chicago, IL, October 2011


Scalable Vector Graphics (SVG) images so far played a rather small role on the Internet, mainly due to the lack of proper browser support. Recently, things have changed: the W3C and WHATWG draft specifications for HTML5 require modern web browsers to support SVG images to be embedded in a multitude of ways. Now SVG images can be embedded through the classical method via specific tags such as <embed> or <object>, or in novel ways, such as with <img> tags, CSS or inline in any HTML5 document.

SVG files are generally considered to be plain images or animations, and security-wise, they are being treated as such (e.g., when an embedment of local or remote SVG images into websites or uploading these files into rich web applications takes place). Unfortunately, this procedure poses great risks for the web applications and the users utilizing them, as it has been proven that SVG files must be considered fully functional, one-file web applications potentially containing HTML, JavaScript, Flash, and other interactive code structures. We found that even more severe problems have resulted from the often improper handling of complex and maliciously prepared SVG files by the browsers.

In this paper, we introduce several novel attack techniques targeted at major websites, as well as modern browsers, email clients and other comparable tools. In particular, we illustrate that SVG images embedded via <img> tag and CSS can execute arbitrary JavaScript code. We examine and present how current filtering techniques are circumventable by using SVG files and subsequently propose an approach to mitigate these risks. The paper showcases our research into the usage of SVG images as attack tools, and determines its impact on state-of-the-art web browsers such as Firefox 4, Internet Explorer 9, and Opera 11.


tags: javascript, web security