└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # SVG SSRF Cheatsheet 2 | 3 | Hosts that process SVG can potentially be vulnerable to SSRF, LFI, XSS, RCE because of the rich feature set of SVG. 4 | 5 | All of these methods specify a URI, which can be absolute or relative. File and HTTP protocol are important to test, but it could also support other protocols depending on the implementation (e.g. PHP stream schemes), including javascript: and data:. 6 | 7 | This document contains a list of all the ways I know about to abuse this functionality in SVG. 8 | 9 | Note that some services that claim to not accept SVG as an input format actually do with a little coaxing. 10 | 11 | * For uploads, send a JPEG/PNG mime type and filename. 12 | * For downloads, have a JPEG/PNG filename and mime type. If refused, check for TOCTOU on the URL (double fetch) and if it follows redirects. 13 | * I haven't seen it but Mime sniffing confusion is probably also possibleMime sniffing confusion as SVG is difficult to sniff because it can start with extra XML garbage. In fact, AFAICT the standard `file` command doesn't include any SVG magic, so it's likely up to the individual implementations. 14 | 15 | # Images 16 | SVG can include external images directly via the `` tag. 17 | 18 | ``` xml 19 | 23 | ``` 24 | 25 | Note that you can use this to include *other SVG* images too. 26 | 27 | # The `` tag 28 | 29 | SVG can include external SVG content via the `` tag. 30 | 31 | file1.svg: 32 | ``` xml 33 | 37 | ``` 38 | 39 | file2.svg: 40 | ``` 41 | 46 | ``` 47 | 48 | # CSS 49 | 50 | ## CSS Stylesheet `` 51 | 52 | SVG can include external stylesheets via the `` tag, just like html. 53 | 54 | ``` xml 55 | 61 | ``` 62 | 63 | ## CSS stylesheet via `@include` 64 | 65 | ``` xml 66 | 73 | ``` 74 | 75 | ## CSS Stylesheet via `` 76 | 77 | ``` xml 78 | 79 | 84 | ``` 85 | 86 | # XSLT 87 | 88 | SVGs can include XSLT stylesheets via ``. Surprisingly, this does seem to work in chrome. 89 | 90 | ``` xml 91 | 92 | 93 | 97 | ``` 98 | 99 | ``` xml 100 | 101 | 102 | 106 | 113 | 114 | 115 | 119 | 120 | 121 | ``` 122 | 123 | Note: due to the nature of XSLT, the input doesn't actually *have* to be a valid SVG file if the xml-stylesheet is ignored, but it's useful to bypass filters. 124 | 125 | Also, Because I have no interest in learning XSLT, this template just wholesale replaces the entire "old" image with the new one. 126 | 127 | # Javascript 128 | 129 | ## Inline 130 | 131 | SVG can natively include inline javascript, just like HTML. 132 | 133 | ``` xml 134 | 144 | ``` 145 | 146 | ## External 147 | 148 | SVG can also include external scripts. 149 | 150 | ``` xml 151 | 157 | 158 | ``` 159 | 160 | ## Inline in event 161 | 162 | SVG can also have inline event handlers that get executed onload. 163 | 164 | ``` xml 165 | 171 | ``` 172 | 173 | You can also bind handlers to animations and some other events. Read the SVG spec. 174 | 175 | # XXE 176 | 177 | Because SVG is XML, it can also have XXEs: 178 | 179 | ``` xml 180 | 181 | 184 | 185 | ]> 186 | 190 | ``` 191 | 192 | # `` 193 | 194 | The `` tag is insane. It can be used to include arbitrary (X)HTML in an SVG. 195 | 196 | For example, to include an iframe: 197 | 198 | ``` xml 199 |