Sitemap
AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Follow publication

Member-only story

Hacking Hacker Noon: Cross-Site Scripting attacks via crafted SVG images

Ax Sharma
6 min readJan 18, 2020

--

Hacker Noon profile section

My colleague, Mike and I while pondering usual work stuff, began to casually discuss the potential of SVGs, especially how cool is that they are mere XML documents represented as an image — enabling them to act as the perfect latent carriers of Cross-Site Scripting (XSS) payloads.

This isn’t novel either — it’s been done many times before, and it’s better than ‘traditional’ XSS attacks which focus purely on injecting malicious scripts within existing HTML pages.

For those not familiar with XSS attacks, it’s to do with being able to inject malicious code within webpages where it’s not supposed to be. While conventional modes of attack rely on inserting malicious JavaScript and HTML code in a particular field, such as the post comments form of a website, modern approaches involve “thinking outside the box.”

Scalable Vector Graphics (SVGs)

Bitmaps vs. SVGs | Wikipedia Commons

Scalable Vector Graphics (SVGs) are XML documents which represent an image as a set of curves

--

--

AxDB
AxDB

Published in AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Ax Sharma
Ax Sharma

Written by Ax Sharma

Security Researcher | Tech Columnist | https://hey.ax