My colleague, Mike and I while pondering usual work stuff, began to casually discuss the potential of SVGs, especially how cool is that they are mere XML documents represented as an image — enabling them to act as the perfect latent carriers of Cross-Site Scripting (XSS) payloads.
This isn’t novel either — it’s been done many times before, and it’s better than ‘traditional’ XSS attacks which focus purely on injecting malicious scripts within existing HTML pages.
For those not familiar with XSS attacks, it’s to do with being able to inject malicious code within webpages where it’s not supposed to be. While conventional modes of attack rely on inserting malicious JavaScript and HTML code in a particular field, such as the post comments form of a website, modern approaches involve “thinking outside the box.”
Scalable Vector Graphics (SVGs)
Scalable Vector Graphics (SVGs) are XML documents which represent an image as a set of curves…