Professional Documents
Culture Documents
Mario Heiderich OWASP Sweden The Image That Called Me
Mario Heiderich OWASP Sweden The Image That Called Me
Introduction
Mario Heiderich
Researcher and PhD student at the RuhrUniversity, Bochum Security Researcher for Microsoft, Redmond Security Consultant for XI ! "!, Ham#ur$ Pu#lished author and international s%ea&er H'M() Security Cheatsheet * H)SC PHPIDS Pro+ect
Today
.hat are S,!s/ .hat are they ca%a#le of/ .hich #ro-sers 0understand1 S,!/ .hy there are conflicted areas/
SVG Images
!reat for mo#ile devices 4asy to %arse and %rocess "ncient format, older than 56 years Relations to H'M(), the living standard
SVG History
Pro%osed #y several .7C mem#ers in 5889 Derived from "do#e Postscri%t and ,M( Develo%ed in 5888 Currently at version 525
,ersion 52: still a -or&in$ draft Mi$ht #e overta&en #y S,! :26 !ec&o, .e#&it, Presto, and 'rident
Basic Example
SVG amily
Desi$ned for cell%hones and smart-%hones ;< 'a$s Desi$ned for handhelds, ta#lets and net-#oo&s <5 ta$s =ull feature set 95 ta$s
eatures
!eometrical sha%es
=ont s%ecific formattin$ and $ly%h styles $in%s "nimations and 'ransformations !radients and 4ffects Meta-data Scripting and Events Inclusion o& ar'itrary o'(ects
SVG in Action
Scripting
More e?am%les/
)ore Scripting
<svg xmlns="http://www.w3.org/2000/svg"> <g onload="javascript:alert(1)"></g> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <animation xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <set attributeName="onmouseover" to="alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" >alert(1)</handler> </svg>
*eploying SVGs
Several -ays of de%loyin$ S,!s, im%lemented #y modern #ro-sers ive important ones are+
3%enin$ the file directly De%loyment via <o#$ect> or <em#ed> De%loyment via <img> or <im ge> De%loyment via CSS # c%gro&nd*list' st(le*content*c&rsor In-line S,!
Security Boundaries
S,! ca%a#ilities #ased on de%loyment method " model, #ased on e?%ectations Hetero$eneous im%lementations And a whole new world o& 'ugs and vulnera'ilities
,SS
S,!s de%loyed via <img> and <im ge> ta$ should not e?ecute @avaScri%t Same $oes for S,!s used via CSS 3r S,! fonts S,!s de%loyed via <ifr me>, <em#ed> or <o#$ect> should, thou$h So #ro-sers need different a%%roaches (earnin$ #y fi?in$/
$ocal SVGs
S,!s o%ened directly are allo-ed to scri%t Ima$ine the follo-in$ attac&A
"ttac&er u%loads an ima$e -ith an e?citin$ motive to a server ,ictim navi$ates to the ima$e, li&es it, saves it locally, do-nloads folder or des&to% ,ictim -ants to -atch the ima$e a$ain and dou#le-clic&s it Ima$e is an S,! and e?ecutes @avaScri%t locally Attac%er can read local &iles -same directory. su'/&olders0 "ttac&er can even load and start @ava a%%lets or -orse
,ery li&ely too #e used in real life attac&sB Porn sites, 4mail attachments, Mal-are
In/line SVG
Su$$ested #y the H'M() s%ecs .or&in$ on all modern #ro-sers C e?ce%t 3%era o strict XM( %arser anymore
Reduced feature set <svg> introduces many ne- XSS vectors XSS filter #y%asses
Scoping
S,! ima$es are treated #y #ro-sers as ,)$ Same is for in-line S,! #loc&s ,)$ treats plain/text tags di&&erently
4ntities and canonical character re%resentations are treated e>ually 6-Day filter #y%asses ahead
'his ena#les a ne- attac& techni>ue on =irefo? *E)1 "nd itDs even -orse In-line S,! 0self-terminates1 o%en H'M( elements
1pera
@avaScri%t e?ecution via S,! fonts XSS via CSS #ac&$round ima$es
o- S,!s de%loyed via CSS*<img> cannot scri%t anymore But - not all &inds of attac&s need scri%tin$ to succeed *E)1
1ther Browsers
=irefo? ; crashed #adly on S,!s em#eddin$ @S Chrome %roduces -eird thin$s -hen usin$ Eforei$n3#+ectF and Eiframes 3%era de%loys @ava a%%lets via S,! fonts "nd -hat a#out other XM( related attac& %atterns/
4?ternal entities S,! 'iny 52: @ava 4vents 4ntity #om#s 4tc2 etc2
2rap/3p
S,!s are not (ust images #ut mini-a%%lications <img> ta$s can no- de%loy @ava, PD= and =lash C and call you on S&y%e In-line S,! creates small XM( islands ena#lin$ XM( attac&s on H'M( -e#sites S,! and XS(' -or& too, ena#lin$ DoS and other attac&s .e#-security and XM( security, they meet a$ainB "nd XX4 is #ac& C remem#er :66:Ds advisories/ SVG is not getting enough attention in the security community SVG provides a lot o& room &or more security research
*e&ense
o e?istin$ filter li#s o $ood documentation XSS vectors are hard to com%rehend e- vectors comin$ u% -ee&ly
S,! files should not #e %erceived as images "llo-in$ S,! for u%load GG allo-in$ H'M( for u%load S,! can em#ed, lin& or reference any &ind of content over cross domain #orders S,! %rovides ne- -ays of %ayload o#fuscation
uture 2or%
SVG 4uri&ier
More articles on the H'M() Sec Cheatsheet .i&i 4u'lications. to raise awareness
More demo vectors on the H)SC to demonstrate im%act 3."SP research and documentation/
$in%s
.i&i%edia on S,! htt%A**en2-i&i%edia2or$*-i&i*Scala#leH,ectorH!ra%hics .7C S,! .or&in$ !rou% htt%A**---2-72or$*!ra%hics*S,!* S,! =ull 525 I.7CJ htt%A**---2-72or$*'R*S,!55*
S,! Basic 525 and S,! 'iny 52: htt%A**---2-72or$*'R*S,!Mo#ile* S,! :26 htt%A**dev2-72or$*S,!*%rofiles*:26*%u#lish*intro2html
XS(' and S,! htt%A**scary#eastsecurity2#lo$s%ot2com*:6222riousity2html 3%era S,! Bu$ htt%A**heideri2ch*o%era* H'M(Purifier htt%A**html%urifier2or$* @SBin htt%A**+s#in2com* More S,! fun htt%A**maliciousmar&u%2#lo$s%ot2com*:6222re-?ml-fun2html
Than%s
'han&s to
!areth Heyes and Manuel Ca#allero from U H "le?ey Silin * (ever3ne Dave Ross