Crouching tiger - hidden payload: security risks of scalable vectors graphics

M. Heiderich, Tilman Frosch, Meiko Jensen, Thorsten Holz
{"title":"Crouching tiger - hidden payload: security risks of scalable vectors graphics","authors":"M. Heiderich, Tilman Frosch, Meiko Jensen, Thorsten Holz","doi":"10.1145/2046707.2046735","DOIUrl":null,"url":null,"abstract":"Scalable Vector Graphics (SVG) images so far played a rather small role on the Internet, mainly due to the lack of proper browser support. Recently, things have changed: the W3C and WHATWG draft specifications for HTML5 require modern web browsers to support SVG images to be embedded in a multitude of ways. Now SVG images can be embedded through the classical method via specific tags such as or , or in novel ways, such as with tags, CSS or inline in any HTML5 document. SVG files are generally considered to be plain images or animations, and security-wise, they are being treated as such (e.g., when an embedment of local or remote SVG images into websites or uploading these files into rich web applications takes place). Unfortunately, this procedure poses great risks for the web applications and the users utilizing them, as it has been proven that SVG files must be considered fully functional, one-file web applications potentially containing HTML, JavaScript, Flash, and other interactive code structures. We found that even more severe problems have resulted from the often improper handling of complex and maliciously prepared SVG files by the browsers.\n In this paper, we introduce several novel attack techniques targeted at major websites, as well as modern browsers, email clients and other comparable tools. In particular, we illustrate that SVG images embedded via tag and CSS can execute arbitrary JavaScript code. We examine and present how current filtering techniques are circumventable by using SVG files and subsequently propose an approach to mitigate these risks. The paper showcases our research into the usage of SVG images as attack tools, and determines its impact on state-of-the-art web browsers such as Firefox 4, Internet Explorer 9, and Opera 11.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":"88 1","pages":"239-250"},"PeriodicalIF":0.0000,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"21","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2046707.2046735","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 21

Abstract

Scalable Vector Graphics (SVG) images so far played a rather small role on the Internet, mainly due to the lack of proper browser support. Recently, things have changed: the W3C and WHATWG draft specifications for HTML5 require modern web browsers to support SVG images to be embedded in a multitude of ways. Now SVG images can be embedded through the classical method via specific tags such as or , or in novel ways, such as with tags, CSS or inline in any HTML5 document. SVG files are generally considered to be plain images or animations, and security-wise, they are being treated as such (e.g., when an embedment of local or remote SVG images into websites or uploading these files into rich web applications takes place). Unfortunately, this procedure poses great risks for the web applications and the users utilizing them, as it has been proven that SVG files must be considered fully functional, one-file web applications potentially containing HTML, JavaScript, Flash, and other interactive code structures. We found that even more severe problems have resulted from the often improper handling of complex and maliciously prepared SVG files by the browsers. In this paper, we introduce several novel attack techniques targeted at major websites, as well as modern browsers, email clients and other comparable tools. In particular, we illustrate that SVG images embedded via tag and CSS can execute arbitrary JavaScript code. We examine and present how current filtering techniques are circumventable by using SVG files and subsequently propose an approach to mitigate these risks. The paper showcases our research into the usage of SVG images as attack tools, and determines its impact on state-of-the-art web browsers such as Firefox 4, Internet Explorer 9, and Opera 11.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
卧虎藏虎——隐藏载荷:可伸缩矢量图形的安全风险
迄今为止,可缩放矢量图形(SVG)图像在Internet上的作用相当小,这主要是由于缺乏适当的浏览器支持。最近,情况发生了变化:W3C和WHATWG的HTML5规范草案要求现代web浏览器支持以多种方式嵌入SVG图像。现在,SVG图像可以通过传统方法通过特定的标记(如或)嵌入,或者以新颖的方式嵌入,例如在任何HTML5文档中使用标记、CSS或内联。SVG文件通常被认为是纯图像或动画,并且从安全角度来看,它们被视为纯图像或动画(例如,当将本地或远程SVG图像嵌入到网站中或将这些文件上传到富web应用程序中时)。不幸的是,这个过程给web应用程序和使用它们的用户带来了很大的风险,因为已经证明SVG文件必须被认为是功能齐全的、单文件的web应用程序,可能包含HTML、JavaScript、Flash和其他交互式代码结构。我们发现,更严重的问题是由于浏览器对复杂和恶意准备的SVG文件的处理不当造成的。在本文中,我们介绍了几种针对主要网站,以及现代浏览器,电子邮件客户端和其他类似工具的新型攻击技术。特别地,我们说明了通过标记和CSS嵌入的SVG图像可以执行任意JavaScript代码。我们将研究并展示如何通过使用SVG文件规避当前的过滤技术,并随后提出一种减轻这些风险的方法。本文展示了我们对使用SVG图像作为攻击工具的研究,并确定了它对最先进的web浏览器(如Firefox 4、Internet Explorer 9和Opera 11)的影响。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
CiteScore
9.20
自引率
0.00%
发文量
0
期刊最新文献
The Danger of Minimum Exposures: Understanding Cross-App Information Leaks on iOS through Multi-Side-Channel Learning. WristPrint: Characterizing User Re-identification Risks from Wrist-worn Accelerometry Data. CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, Republic of Korea, November 15 - 19, 2021 WAHC '21: Proceedings of the 9th on Workshop on Encrypted Computing & Applied Homomorphic Cryptography, Virtual Event, Korea, 15 November 2021 Incremental Learning Algorithm of Data Complexity Based on KNN Classifier
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1