Skip to content

Offensive Security Experts

Customizable solutions to educate clients, identify security risks, inform intelligent business decisions, and enable you to reduce your attack surface digitally, physically and socially.

Red Teaming®

A multi-layered attack simulation designed to measure how well a company’s people and networks, applications, and physical security controls can withstand an attack from an adversary.

Penetration Testing

Inspects your network, application, device, and physical security through the eyes of BOTH a malicious actor and an experienced cybersecurity expert.

Social Engineering

Commonly known as “people hacking,” we aim to identify venerabilities by accessing a system, device, or physical premises.

Is You're Company Compliant?

RedTeam Security are the experts in helping you meet your industry’s security compliance standards, from banking to healthcare, retail and beyond.

PCI Penetration Testing

NERC CIP Compliance

HIPAA Penetration Testing

FDIC Penetration Testing

Cryptocurrency Compliance

The Evil SVG Project

SVG Project

The purpose of this article is to provide a repeatable means of performing cross-site scripting attacks via an SVG file.

SVG, otherwise known as “scalable vector graphics” in which an XML document used to build an image.

Evil-SVG-1

The above code generates the following image:

Evil-SVG-2

However, by introducing JavaScript or HTML within the SVG, it is possible to in effect store XSS payloads that execute whenever the SVG is loaded into the page’s dynamic content.

Let’s tweak it to add in some JavaScript and officially “weaponized” the SVG.

Evil-SVG-4

By simply adding a pair of script tags, an attacker can include any JavaScript functions, actions or even in a worst-case scenario remotely include a JavaScript file whenever the SVG is loaded.

In our case, we are using BeEF (Browser Exploitation Framework) to attack users of an application by including the BeEF JavaScript file within the page allows attackers to carry out attacks and get Beef Shells all from this SVG.

Take for example the following code:

Evil-SVG-5

With all of this in mind, seriously consider limiting or blocking SVGs from being uploaded. More often than not, developers have overlooked SVG as a potential threat vector and allow profile picture upload of malicious SVG files.

Additionally, if you are familiar with XXE attacks, this can also be used for that attack vector in some circumstances. If you aren’t already scanning uploads regardless of their extension or mime type, it might be time to change that.

Long story short, if you can pop XSS within an SVG you can do pretty much anything up to and including store malicious JS, malicious XML or malicious HTML in-line.

Did you find this useful? Browse more like it on the RedTeam blog!

10-Point Offensive Security Checklist

Get A Bird's Eye View Of Your Organization's Security Readiness

Services Datasheet

Recent Posts

Featured On

National TV news and media outlets often consult with us for our expertise as a
boutique, high-touch ethical hacking firm highly trained in a narrow field of cyber
security. Please click on any logo below to view the featured story.