-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
1/24
The Image that called meActive Content Injection with SVG Files
A presentation by Mario Heiderich, 20
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
2/24
Introduction
Mario Heiderich
Researcher and PhD student at the Ruhr-University, Bochum
Security Researcher for Microsoft, Redmond Security Consultant for XI! "!, Ham#ur$
Pu#lished author and international s%ea&er
H'M() Security Cheatsheet * H)SC PHPIDS Pro+ect
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
3/24
Today
S!s and the modern e#
.hat are S!s/
.hat are they ca%a#le of/
.hich #rosers 0understand1 S!/
.hy there are conflicted areas/
And what does that have to do withsecurity?
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
4/24
SVG Images
Scala#le ector !ra%hics
XM( #ased, therefore
ersatile
"ccessi#le
Com%ressi#le
0Styla#le1 2 CSS
3%en
!reat for mo#ile devices
4asy to %arse and %rocess
"ncient format, older than 56 years
Relations to H'M(), the living standard
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
5/24
SVG History
Pro%osed #y several .7C mem#ers in 5889
Derived from "do#e Postscri%t and M(
Develo%ed in 5888
Currently at version 525
ersion 52: still a or&in$ draft
Mi$ht #e overta&en #y S! :26
!ood #roser su%%ort
!ec&o, .e#&it, Presto, and 'rident
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
6/24
Basic Example
http://www.w3.org/1999/svghttp://www.w3.org/1999/svg -
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
7/24
SVG amily
SVG Tiny !"#
Desi$ned for cell%hones and smart-%hones
;< 'a$s
SVG Basic !"!
Desi$ned for handhelds, ta#lets and net-#oo&s
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
8/24
eatures
!eometrical sha%es
Circles, elli%ses, s>uares, lines and more
S! fonts
=ont s%ecific formattin$ and $ly%h styles $in%s
"nimations and 'ransformations
!radients and 4ffects
Meta-data
Scripting and Events
Inclusion o& ar'itrary o'(ects
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
9/24
SVG in Action
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
10/24
Scripting
'he folloin$ S! e?ecutes @avaScri%t
More e?am%les/
lert!1"
http://www.w3.org/1999/svghttp://www.w3.org/1999/svg -
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
11/24
)ore Scripting
alert(1)
http://www.w3.org/2000/svghttp://alert%281/http://www.w3.org/2000/svghttp://alert%281/http://www.w3.org/2000/svghttp://alert%281/http://alert%281/http://www.w3.org/2000/svghttp://alert%281/http://www.w3.org/2000/svghttp://alert%281/http://www.w3.org/2000/svg -
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
12/24
*eploying SVGs
Several ays of de%loyin$ S!s,im%lemented #y modern #rosers
ive important ones are+
3%enin$ the file directly
De%loyment via or
De%loyment via or
De%loyment via CSS #c%gro&nd*list'st(le*content*c&rsor
In-line S!
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
13/24
Security Boundaries
S! ca%a#ilities #ased on de%loymentmethod
" model, #ased on e?%ectations
Hetero$eneous im%lementations
And a whole new world o& 'ugs andvulnera'ilities
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
14/24
,SS
S!s de%loyed via and ta$ shouldnot e?ecute @avaScri%t
Same $oes for S!s used via CSS
3r S! fonts
S!s de%loyed via , or should, thou$h
So #rosers need different a%%roaches
(earnin$ #y fi?in$/
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
15/24
$ocal SVGs
S!s o%ened directly are alloed to scri%t
Ima$ine the folloin$ attac&A
"ttac&er u%loads an ima$e ith an e?citin$ motive to a server
ictim navi$ates to the ima$e, li&es it, saves it locally, donloads
folder or des&to% ictim ants to atch the ima$e a$ain and dou#le-clic&s it
Ima$e is an S! and e?ecutes @avaScri%t locally
Attac%er can read local &iles -same directory. su'/&olders0
"ttac&er can even load and start @ava a%%lets or orse
ery li&ely too #e used in real life attac&s
Porn sites, 4mail attachments, Malare
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
16/24
In/line SVG
Su$$ested #y the H'M() s%ecs
.or&in$ on all modern #rosers e?ce%t3%era
o strict XM( %arser anymore
See no >uotes, no trailin$ slash
Reduced feature set introduces many ne XSS vectors
XSS filter #y%asses
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
17/24
Scoping
S! ima$es are treated #y #rosers as ,)$
Same is for in-line S! #loc&s
,)$ treats plain/text tags di&&erently
4ntities and canonical character re%resentations are treated e>ually
6-Day filter #y%asses ahead 'his ena#les a ne attac& techni>ue on =irefo?
*E)1
"nd its even orse
In-line S! 0self-terminates1 o%en H'M( elements
http://jsbin.com/orufu4http://jsbin.com/orufu4 -
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
18/24
1pera
" lon$ history of S! flas
@avaScri%t e?ecution via S! fonts
XSS via CSS #ac&$round ima$es
o S!s de%loyed via CSS*cannotscri%t anymore
But - not all &inds of attac&s need scri%tin$
to succeed
*E)1
http://html5sec.org/#43http://heideri.ch/operahttp://heideri.ch/operahttp://html5sec.org/#43 -
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
19/24
1ther Browsers
=irefo? ; crashed #adly on S!s em#eddin$ @S
Chrome %roduces eird thin$s hen usin$Eforei$n3#+ectF and Eiframes
3%era de%loys @ava a%%lets via S! fonts
"nd hat a#out other XM( related attac& %atterns/
4?ternal entities
S! 'iny 52: @ava 4vents
4ntity #om#s 4tc2 etc2
Some #rosers su%%ort S! Mas&s, %erfect for clic&-+ac&in$
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
20/24
2rap/3p
S!s are not (ust images#ut mini-a%%lications
ta$s can no de%loy @ava, PD= and =lash and call youon S&y%e
In-line S! creates small XM( islands ena#lin$ XM( attac&s onH'M( e#sites
S! and XS(' or& too, ena#lin$ DoS and other attac&s
.e#-security and XM( security, they meet a$ain
"nd XX4 is #ac& remem#er :66:s advisories/
SVG is not getting enough attention in the securitycommunity
SVG provides a lot o& room &or more security research
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
21/24
*e&ense
More difficult than one mi$ht assume
o e?istin$ filter li#s
o $ood documentation
XSS vectors are hard to com%rehend
e vectors comin$ u% ee&ly
S! files should not #e %erceived as images
"lloin$ S! for u%load GG alloin$ H'M( for u%load
S! can em#ed, lin& or reference any &ind of contentover cross domain #orders
S! %rovides ne ays of %ayload o#fuscation
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
22/24
uture 2or%
SVG 4uri&ier
Based on H'M(Purifier ;2:26
Still very youn$, and so far un%u#lished
More articles on the H'M() Sec Cheatsheet .i&i 4u'lications. to raise awareness
"cademic %u#lication is in %re%aration
More demo vectors on the H)SC to demonstrate
im%act
3."SP research and documentation/
-
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
23/24
$in%s
.i&i%edia on S! htt%A**en2i&i%edia2or$*i&i*Scala#leector!ra%hics
.7C S! .or&in$ !rou% htt%A**272or$*!ra%hics*S!*
S! =ull 525 .7CJ htt%A**272or$*'R*S!55*
S! Basic 525 and S! 'iny 52: htt%A**272or$*'R*S!Mo#ile*
S! :26 htt%A**dev272or$*S!*%rofiles*:26*%u#lish*intro2html
"do#es S! Kone htt%A**2ado#e2com*sv$*
H)SC htt%A**html)sec2or$*
XS(' and S! htt%A**scary#eastsecurity2#lo$s%ot2com*:6222riousity2html
3%era S! Bu$ htt%A**heideri2ch*o%era*
H'M(Purifier htt%A**html%urifier2or$* @SBin htt%A**+s#in2com*
More S! fun htt%A**maliciousmar&u%2#lo$s%ot2com*:6222re-?ml-fun2html
http://en.wikipedia.org/wiki/Scalable_Vector_Graphicshttp://www.w3.org/Graphics/SVG/http://www.w3.org/TR/SVG11/http://www.w3.org/TR/SVGMobile/http://dev.w3.org/SVG/profiles/2.0/publish/intro.htmlhttp://www.adobe.com/svg/http://html5sec.org/http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.htmlhttp://heideri.ch/opera/http://htmlpurifier.org/http://jsbin.com/http://maliciousmarkup.blogspot.com/2008/11/svg-and-more-xml-fun.htmlhttp://maliciousmarkup.blogspot.com/2008/11/svg-and-more-xml-fun.htmlhttp://jsbin.com/http://htmlpurifier.org/http://heideri.ch/opera/http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.htmlhttp://html5sec.org/http://www.adobe.com/svg/http://dev.w3.org/SVG/profiles/2.0/publish/intro.htmlhttp://www.w3.org/TR/SVGMobile/http://www.w3.org/TR/SVG11/http://www.w3.org/Graphics/SVG/http://en.wikipedia.org/wiki/Scalable_Vector_Graphics -
5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me
24/24
Than%s
'han&s for listenin$
Luestions Comments/
Discussion and tool %revie/
'han&s to
!areth Heyes and Manuel Ca#allero from UH
"le?ey Silin * (ever3ne
Dave Ross