1 The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011
2 Introduction Mario Heiderich Researcher and PhD student at the Ruhr- University, Bochum Security Researcher for Microsoft, Redmond Security Consultant for XING AG, Hamburg Published author and international speaker HTML5 Security Cheatsheet / H5SC PHPIDS Project
3 Today SVGs and the modern web What are SVGs? What are they capable of? Which browsers understand SVG? Why there are conflicted areas? And what does that have to do with security?
4 SVG Images Scalable Vector Graphics XML based, therefore Versatile Accessible Compressible Stylable w. CSS Open Great for mobile devices Easy to parse and process Ancient format, older than 10 years Relations to HTML5, the living standard
5 SVG History Proposed by several W3C members in 1998 Derived from Adobe Postscript and VML Developed in 1999 Currently at version 1.1 Version 1.2 still a working draft Might be overtaken by SVG 2.0 Good browser support Gecko, Webkit, Presto, and Trident
6 Basic Example <svg xmlns= > <circle r= 40 fill= red ></circle> </svg>
7 SVG Family SVG Tiny 1.2 Designed for cellphones and smart-phones 47 Tags SVG Basic 1.1 Designed for handhelds, tablets and net-books 71 tags SVG Full 1.1 Full feature set 81 tags
8 Features Geometrical shapes Circles, ellipses, squares, lines and more SVG fonts Font specific formatting and glyph styles Links Animations and Transformations Gradients and Effects Meta-data Scripting and Events Inclusion of arbitrary objects
9 SVG in Action
12 Deploying SVGs Several ways of deploying SVGs, implemented by modern browsers Five important ones are: Opening the file directly Deployment via <object> or <embed> Deployment via <img> or <image> Deployment via CSS background/liststyle/content/cursor In-line SVG
13 Security Boundaries SVG capabilities based on deployment method A model, based on expectations Heterogeneous implementations And a whole new world of bugs and vulnerabilities
16 In-line SVG Suggested by the HTML5 specs Working on all modern browsers except Opera No strict XML parser anymore <svg><circle r=40 fill=red></svg> See no quotes, no trailing slash Reduced feature set <svg> introduces many new XSS vectors XSS filter bypasses
17 Scoping SVG images are treated by browsers as XML Same is for in-line SVG blocks XML treats plain-text tags differently Entities and canonical character representations are treated equally 0-Day filter bypasses ahead This enables a new attack technique on Firefox DEMO And it's even worse In-line SVG self-terminates open HTML elements
19 Other Browsers Firefox 4 crashed badly on SVGs embedding JS Chrome produces weird things when using <foreignobject> and <iframes Opera deploys Java applets via SVG fonts And what about other XML related attack patterns? External entities SVG Tiny 1.2 Java Events Entity bombs Etc. etc. Some browsers support SVG Masks, perfect for clickjacking
20 Wrap-Up SVGs are not just images but mini-applications <img> tags can now deploy Java, PDF and Flash and call you on Skype In-line SVG creates small XML islands enabling XML attacks on HTML websites SVG and XSLT work too, enabling DoS and other attacks Web-security and XML security, they meet again! And XXE is back remember 2002's advisories? SVG is not getting enough attention in the security community SVG provides a lot of room for more security research
21 Defense More difficult than one might assume No existing filter libs No good documentation XSS vectors are hard to comprehend New vectors coming up weekly SVG files should not be perceived as images Allowing SVG for upload == allowing HTML for upload SVG can embed, link or reference any kind of content over cross domain borders SVG provides new ways of payload obfuscation
22 Future Work SVG Purifier Based on HTMLPurifier Still very young, and so far unpublished More articles on the HTML5 Sec Cheatsheet Wiki Publications, to raise awareness Academic publication is in preparation More demo vectors on the H5SC to demonstrate impact OWASP research and documentation?
23 Links Wikipedia on SVG W3C SVG Working Group SVG Full 1.1 (W3C) SVG Basic 1.1 and SVG Tiny SVG Adobe's SVG Zone H5SC XSLT and SVG Opera SVG Bug HTMLPurifier JSBin More SVG fun
24 Thanks Thanks for listening Questions Comments? Discussion and tool preview? Thanks to Gareth Heyes and Manuel Caballero from UNH Alexey Silin / LeverOne Dave Ross
Polyglots: Crossing Origins by Crossing Formats Jonas Magazinius Chalmers University of Technology Gothenburg, Sweden email@example.com Billy K. Rios Cylance, Inc. Irvine, CA, USA Andrei Sabelfeld
Creating Mobile Learning 7 key steps to designing and developing effective mobile learning kineo Creating Mobile Learning Scoping and scheduling your mobile Step 1: 03 learning project Producing the overall
Hot Potatoes version 6 Half-Baked Software Inc., 1998-2009 p1 Table of Contents Contents 4 General introduction and help 4 What do these programs do? 4 Conditions for using Hot Potatoes 4 Notes for upgraders
COMPUTING AT SCHOOL EDUCATE ENGAGE ENCOURAGE In collaboration with BCS, The Chartered Institute for IT Computing in the national curriculum A guide for primary teachers Computing in the national curriculum
All Your Clouds are Belong to us Security Analysis of Cloud Management Interfaces Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk Chair for Network and Data Security Horst Görtz Institute
Online Album Show your photos & videos online Manual 2 Copyright Copyright MAGIX is a registered trademark of MAGIX AG. "Online Photo" is a product name of MAGIX AG. Other mentioned product names may be
WHITE PAPER Detecting and Blocking Site Scraping Attacks Protecting Valuable Data and Intellectual Property from Online Thieves Data theft is one of the most dangerous threats for online businesses today.
Exposing Private Information by Timing Web Applications Andrew Bortz Stanford University firstname.lastname@example.org Dan Boneh Stanford University email@example.com Palash Nandy firstname.lastname@example.org ABSTRACT
Protecting Browsers from DNS Rebinding Attacks Collin Jackson Stanford University email@example.com Weidong Shao Stanford University firstname.lastname@example.org Adam Barth Stanford University email@example.com
me What s new in 3.2? 1 Introduction... 3 New features in 3.2... 3 New text editor... 3 Useful features in the editor... 4 Messages... 5 Actions... 6 Message filters... 7 Drafts folder... 7 Favourites...
Data protection Protecting personal data in online services: learning from the mistakes of others May 2014 Contents Introduction... 2 What the DPA says... 4 Software security updates... 5 Software security
Bittersweet cookies. Some security and privacy considerations Abstract Cookies have emerged as one of the most convenient solutions to keep track of browser server interaction. Nevertheless, they continue
Automatically Detecting Vulnerable Websites Before They Turn Malicious Kyle Soska and Nicolas Christin, Carnegie Mellon University https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/soska
How to Write a Good Postgraduate RESEARCH PROPOSAL Introduction This guide provides practical information to those who have been asked to submit a research proposal as part of their application for admissions
Special Publication 800-125 Guide to Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul Hoffman NIST
Camera Base Version 1.6.1 User Guide Mathias Tobler October 2014 Table of contents 1 Introduction... 3 2 License... 4 3 Overview... 5 3.1 Data Management... 5 3.2 Analysis and outputs... 5 4 Installation...
Programming from the Ground Up Jonathan Bartlett Edited by Dominick Bruno, Jr. Programming from the Ground Up by Jonathan Bartlett Edited by Dominick Bruno, Jr. Copyright 2003 by Jonathan Bartlett Permission
Annotea and Semantic Web Supported Collaboration Marja-Riitta Koivunen, Ph.D. Annotea project Abstract Like any other technology, the Semantic Web cannot succeed if the applications using it do not serve
Is Connectivity A Human Right? For almost ten years, Facebook has been on a mission to make the world more open and connected. For us, that means the entire world not just the richest, most developed countries.
Good news! I just approved your request to upgrade your desktop to Windows 2003. There are many projects in Head First C# where you build Windows Store apps that require Windows 8. In this appendix, you'll
Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna UC Santa Barbara Santa
Introduction to Microsoft Publisher : Tools You May Need 1. Why use Publisher instead of Word for creating fact sheets, brochures, posters, newsletters, etc.? While both Word and Publisher can create documents
Michael Hunter's You Are Not Done Yet checklist (c) 2010 Michael J. Hunter You Are Not Done Yet Pick something. Anything. A feature in your favorite software application, your favorite toy, your favorite
Self-Paced Course In this course you will explore and develop your unique leadership style, and identify what kind of leadership would be most effective for your particular situation. You will create a
COUNTER Online Metrics www.projectcounter.org The COUNTER Code of Practice for e-resources: Release 4 Published April 2012 Abstract COUNTER provides an international, extendible Code of Practice for e-resources
These guidelines were prepared by the Accessible Information Working Group: Rozanne Barrow, Maura Bolger, Frances Casey, Sarah Cronin, Teresa Gadd, Karen Henderson, Aine Ní Aileagáin, Stephanie O'Connor,