Dailydave mailing list archives

Re: TTW

From: Thorsten Holz <thorsten.holz () gmail com>
Date: Tue, 22 Nov 2011 11:39:10 +0100

On 16.11.2011, at 17:42, Kristian Erik Hermansen wrote:

* SVG embedding vulnerabilities potential.


We recently published a paper on this subject, you can find more info at 
http://www.syssec.rub.de/research/publications/SVG-security-risks/

Abstract:
Scalable Vector Graphics (SVG) images so far played a rather small role on the Internet, mainly due to the lack of 
proper browser support. Recently, things have changed: the W3C and WHATWG draft specifications for HTML5 require modern 
web browsers to support SVG images to be embedded in a multitude of ways. Now SVG images can be embedded through the 
classical method via specific tags such as <embed> or <object>, or in novel ways, such as with <img> tags, CSS or 
inline in any HTML5 document.
SVG files are generally considered to be plain images or animations, and security-wise, they are being treated as such 
(e.g., when an embedment of local or remote SVG images into websites or uploading these files into rich web 
applications takes place). Unfortunately, this procedure poses great risks for the web applications and the users 
utilizing them, as it has been proven that SVG files must be considered fully functional, one-file web applications 
potentially containing HTML, JavaScript, Flash, and other interactive code structures. We found that even more severe 
problems have resulted from the often improper handling of complex and maliciously prepared SVG files by the browsers.
In this paper, we introduce several novel attack techniques targeted at major websites, as well as modern browsers, 
email clients and other comparable tools. In particular, we illustrate that SVG images embedded via <img> tag and CSS 
can execute arbitrary JavaScript code. We examine and present how current filtering techniques are circumventable by 
using SVG files and subsequently propose an approach to mitigate these risks. The paper showcases our research into the 
usage of SVG images as attack tools, and determines its impact on state-of-the-art web browsers such as Firefox 4, 
Internet Explorer 9, and Opera 11.

Direct link to paper: http://www.syssec.rub.de/media/hgi/veroeffentlichungen/2011/10/19/svgSecurity-ccs11.pdf
Demo for SVG Purifier: http://svgpurifier.nds.rub.de/

Cheers,
  Thorsten
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

TTW Michal Zalewski (Nov 15)
- Re: TTW Kristian Erik Hermansen (Nov 17)
  - Re: TTW Michal Zalewski (Nov 17)
  - Re: TTW Thorsten Holz (Nov 22)