Skip to main content
The Evil SVG Project Hero

The purpose of this article is to provide a repeatable means of performing cross-site scripting attacks via an SVG file.

SVG, otherwise known as "scalable vector graphics" in which an XML document used to build an image.

Evil-SVG-1

The above code generates the following image:

Evil-SVG-2

However, by introducing JavaScript or HTML within the SVG, it is possible to in effect store XSS payloads that execute whenever the SVG is loaded into the page's dynamic content.

Let's tweak it to add in some JavaScript and officially "weaponized" the SVG.

Evil-SVG-4

By simply adding a pair of script tags, an attacker can include any JavaScript functions, actions or even in a worst-case scenario remotely include a JavaScript file whenever the SVG is loaded.

In our case, we are using BeEF (Browser Exploitation Framework) to attack users of an application by including the BeEF JavaScript file within the page allows attackers to carry out attacks and get Beef Shells all from this SVG.

Take for example the following code:

Evil-SVG-5

With all of this in mind, seriously consider limiting or blocking SVGs from being uploaded. More often than not, developers have overlooked SVG as a potential threat vector and allow profile picture upload of malicious SVG files.

Additionally, if you are familiar with XXE attacks, this can also be used for that attack vector in some circumstances. If you aren't already scanning uploads regardless of their extension or mime type, it might be time to change that.

Long story short, if you can pop XSS within an SVG you can do pretty much anything up to and including store malicious JS, malicious XML or malicious HTML in-line.

Did you find this useful? Browse more like it on the RedTeam Security blog!

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at (952) 836-2770 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.