SVG Exploiting Browsers without Image Parsing Bugs
Rennie deGraaf iSEC Partners
07 August 2014
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 1 / 55 Outline
1 A brief introduction to SVG What is SVG? Using SVG with HTML SVG features
2 Attacking SVG Attack surface Security model Security model violations
3 Content Security Policy A brief introduction CSP Violations
4 Conclusion
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 2 / 55 A brief introduction to SVG What is SVG? What is SVG?
Scalable Vector Graphics XML-based W3C (http://www.w3.org/TR/SVG/) Development started in 1999 Current version is 1.1, published in 2011 Version 2.0 is in development First browser with native support was Konqueror in 2004; IE was the last major browser to add native SVG support (in 2011)
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 3 / 55 A brief introduction to SVG What is SVG? A simple example Source code
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 4 / 55 A brief introduction to SVG What is SVG? A simple example As rendered
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 5 / 55 A brief introduction to SVG What is SVG? A simple example I am not an artist.
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 6 / 55 A brief introduction to SVG Using SVG with HTML Embedding SVG in HTML
As a static image: img tag CSS resources (eg, background-image) As a nested document object tag embed tag iframe tag In-line canvas tag
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 7 / 55 A brief introduction to SVG SVG features SVG with CSS In-line
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 8 / 55 A brief introduction to SVG SVG features SVG with CSS External
css"?>
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 9 / 55 A brief introduction to SVG SVG features SVG with CSS As rendered
(a) Without CSS (b) With CSS
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 10 / 55 A brief introduction to SVG SVG features SVG with JavaScript In-line
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 11 / 55 A brief introduction to SVG SVG features SVG with JavaScript External
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 12 / 55 A brief introduction to SVG SVG features SVG with JavaScript As rendered
(a) Without JavaScript (b) With JavaScript
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 13 / 55 A brief introduction to SVG SVG features SVG with an external image
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 14 / 55 A brief introduction to SVG SVG features SVG with an external image As rendered
(a) Normal (b) With an external image
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 15 / 55 A brief introduction to SVG SVG features SVG with embedded HTML
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 16 / 55 A brief introduction to SVG SVG features SVG with embedded HTML As rendered
(b) With another SVG embedded inside (a) Normal HTML in a foreignObject
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 17 / 55 Attacking SVG Attack surface Attack surface
Since SVG can do pretty much everything that HTML can do, the attack surface is very similar: XML attacks (Billion Laughs, etc.) DOM attacks XSS Etc.
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 18 / 55 Attacking SVG Attack surface Billion Laughs
]>
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 19 / 55 Attacking SVG Attack surface Billion Laughs Chrome
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 20 / 55 Attacking SVG Attack surface Billion Laughs Firefox
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 21 / 55 Attacking SVG Attack surface Attacking the DOM Innocent HTML
Same-origin SVG
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 22 / 55 Attacking SVG Attack surface Attacking the DOM As rendered
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 23 / 55 Attacking SVG Attack surface Attacking the DOM Malicious SVG
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 24 / 55 Attacking SVG Attack surface Attacking the DOM Results
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 25 / 55 Attacking SVG Attack surface XSS Code
" ?>
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 26 / 55 Attacking SVG Attack surface XSS Results
(b) http://svg.test/circle-xss.svg.php (a) http://svg.test/circle-xss.svg.php- ?colour="/>
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 27 / 55 Attacking SVG Security model Security model
SVG loaded as static images are treated like other image formats: External resources (stylesheets, scripts, other images, etc.) are not loaded. Scripts are never executed. Internal stylesheets and data URIs are allowed. SVG loaded as nested documents are treated just like HTML: External resources are loaded. Scripts are executed. Same-Origin Policy applies. Sandboxed iframes disable script execution Browsers must never load a document as a child of itself.
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 28 / 55 Attacking SVG Security model violations Internet Explorer always loads external CSS Source
href="circle.css"?>
xmlns="http://www.w3.org/2000/svg" width="68" height="68"