Crou­ch­ing Tiger - Hi­d­den Pay­load: Se­cu­ri­ty Risks of Scalable Vec­tors Gra­phics

Mario Hei­de­rich, Til­man Frosch, Meiko Jen­sen, Thors­ten Holz

18th ACM Con­fe­rence on Com­pu­ter and Com­mu­ni­ca­ti­ons Se­cu­ri­ty (CCS), Chi­ca­go, IL, Oc­to­ber 2011


Ab­stract

Scalable Vec­tor Gra­phics (SVG) ima­ges so far play­ed a ra­ther small role on the In­ter­net, main­ly due to the lack of pro­per brow­ser sup­port. Re­cent­ly, things have chan­ged: the W3C and WHAT­WG draft spe­ci­fi­ca­ti­ons for HTML5 re­qui­re mo­dern web brow­sers to sup­port SVG ima­ges to be em­bed­ded in a mul­ti­tu­de of ways. Now SVG ima­ges can be em­bed­ded through the clas­si­cal me­thod via spe­ci­fic tags such as <embed> or <ob­ject>, or in novel ways, such as with <img> tags, CSS or in­li­ne in any HTML5 do­cu­ment.

SVG files are ge­ne­ral­ly con­s­i­de­red to be plain ima­ges or ani­ma­ti­ons, and se­cu­ri­ty-wi­se, they are being trea­ted as such (e.g., when an em­bed­ment of local or re­mo­te SVG ima­ges into web­sites or uploa­ding these files into rich web ap­p­li­ca­ti­ons takes place). Un­for­t­u­n­a­te­ly, this pro­ce­du­re poses great risks for the web ap­p­li­ca­ti­ons and the users uti­li­zing them, as it has been pro­ven that SVG files must be con­s­i­de­red fully func­tio­nal, one-fi­le web ap­p­li­ca­ti­ons po­ten­ti­al­ly con­tai­ning HTML, Ja­va­Script, Flash, and other in­ter­ac­tive code struc­tu­res. We found that even more se­ve­re pro­blems have re­sul­ted from the often im­proper hand­ling of com­plex and ma­li­cious­ly pre­pa­red SVG files by the brow­sers.

In this paper, we in­tro­du­ce se­ver­al novel at­tack tech­ni­ques tar­ge­ted at major web­sites, as well as mo­dern brow­sers, email cli­ents and other com­pa­ra­ble tools. In par­ti­cu­lar, we il­lus­tra­te that SVG ima­ges em­bed­ded via <img> tag and CSS can exe­cu­te ar­bi­tra­ry Ja­va­Script code. We ex­ami­ne and pre­sent how cur­rent fil­te­ring tech­ni­ques are cir­cum­ven­ta­ble by using SVG files and sub­se­quent­ly pro­po­se an ap­proach to miti­ga­te these risks. The paper show­ca­ses our re­se­arch into the usage of SVG ima­ges as at­tack tools, and de­ter­mi­nes its im­pact on sta­te-of-the-art web brow­sers such as Fi­re­fox 4, In­ter­net Ex­plo­rer 9, and Opera 11.

[PDF]

Tags: ja­va­script, web se­cu­ri­ty