M. Heiderich, Tilman Frosch, Meiko Jensen, Thorsten Holz
{"title":"Crouching tiger - hidden payload: security risks of scalable vectors graphics","authors":"M. Heiderich, Tilman Frosch, Meiko Jensen, Thorsten Holz","doi":"10.1145/2046707.2046735","DOIUrl":null,"url":null,"abstract":"Scalable Vector Graphics (SVG) images so far played a rather small role on the Internet, mainly due to the lack of proper browser support. Recently, things have changed: the W3C and WHATWG draft specifications for HTML5 require modern web browsers to support SVG images to be embedded in a multitude of ways. Now SVG images can be embedded through the classical method via specific tags such as or , or in novel ways, such as with tags, CSS or inline in any HTML5 document. SVG files are generally considered to be plain images or animations, and security-wise, they are being treated as such (e.g., when an embedment of local or remote SVG images into websites or uploading these files into rich web applications takes place). Unfortunately, this procedure poses great risks for the web applications and the users utilizing them, as it has been proven that SVG files must be considered fully functional, one-file web applications potentially containing HTML, JavaScript, Flash, and other interactive code structures. We found that even more severe problems have resulted from the often improper handling of complex and maliciously prepared SVG files by the browsers.\n In this paper, we introduce several novel attack techniques targeted at major websites, as well as modern browsers, email clients and other comparable tools. In particular, we illustrate that SVG images embedded via tag and CSS can execute arbitrary JavaScript code. We examine and present how current filtering techniques are circumventable by using SVG files and subsequently propose an approach to mitigate these risks. The paper showcases our research into the usage of SVG images as attack tools, and determines its impact on state-of-the-art web browsers such as Firefox 4, Internet Explorer 9, and Opera 11.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":"88 1","pages":"239-250"},"PeriodicalIF":0.0000,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"21","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2046707.2046735","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 21
Abstract
Scalable Vector Graphics (SVG) images so far played a rather small role on the Internet, mainly due to the lack of proper browser support. Recently, things have changed: the W3C and WHATWG draft specifications for HTML5 require modern web browsers to support SVG images to be embedded in a multitude of ways. Now SVG images can be embedded through the classical method via specific tags such as or , or in novel ways, such as with tags, CSS or inline in any HTML5 document. SVG files are generally considered to be plain images or animations, and security-wise, they are being treated as such (e.g., when an embedment of local or remote SVG images into websites or uploading these files into rich web applications takes place). Unfortunately, this procedure poses great risks for the web applications and the users utilizing them, as it has been proven that SVG files must be considered fully functional, one-file web applications potentially containing HTML, JavaScript, Flash, and other interactive code structures. We found that even more severe problems have resulted from the often improper handling of complex and maliciously prepared SVG files by the browsers.
In this paper, we introduce several novel attack techniques targeted at major websites, as well as modern browsers, email clients and other comparable tools. In particular, we illustrate that SVG images embedded via tag and CSS can execute arbitrary JavaScript code. We examine and present how current filtering techniques are circumventable by using SVG files and subsequently propose an approach to mitigate these risks. The paper showcases our research into the usage of SVG images as attack tools, and determines its impact on state-of-the-art web browsers such as Firefox 4, Internet Explorer 9, and Opera 11.
迄今为止,可缩放矢量图形(SVG)图像在Internet上的作用相当小,这主要是由于缺乏适当的浏览器支持。最近,情况发生了变化:W3C和WHATWG的HTML5规范草案要求现代web浏览器支持以多种方式嵌入SVG图像。现在,SVG图像可以通过传统方法通过特定的标记(如或)嵌入,或者以新颖的方式嵌入,例如在任何HTML5文档中使用标记、CSS或内联。SVG文件通常被认为是纯图像或动画,并且从安全角度来看,它们被视为纯图像或动画(例如,当将本地或远程SVG图像嵌入到网站中或将这些文件上传到富web应用程序中时)。不幸的是,这个过程给web应用程序和使用它们的用户带来了很大的风险,因为已经证明SVG文件必须被认为是功能齐全的、单文件的web应用程序,可能包含HTML、JavaScript、Flash和其他交互式代码结构。我们发现,更严重的问题是由于浏览器对复杂和恶意准备的SVG文件的处理不当造成的。在本文中,我们介绍了几种针对主要网站,以及现代浏览器,电子邮件客户端和其他类似工具的新型攻击技术。特别地,我们说明了通过标记和CSS嵌入的SVG图像可以执行任意JavaScript代码。我们将研究并展示如何通过使用SVG文件规避当前的过滤技术,并随后提出一种减轻这些风险的方法。本文展示了我们对使用SVG图像作为攻击工具的研究,并确定了它对最先进的web浏览器(如Firefox 4、Internet Explorer 9和Opera 11)的影响。