Week 44 - SVG SSRF

Looking for another way of exploiting Server-Side Request Forgery? Many #AppSec testers are already familiar with server-side HTML rendering, and how an <iframe> can be used to access internal resources or local files. But did you know this is also possible through exporting SVG images? This is due to the handy <foreignObject> tag, which essentially allows you to add HTML to the SVG image. Assuming the server is rendering the SVG image, you can add an iframe and link to internal hosts/files like so: <svg width="1000" height="1000"> <foreignObject width="1000" height="1000"> <iframe style="width:100%;height:100%;" src="file[:]///etc/passwd"/> </foreignObject> </svg> If the server is blocking the <foreignObject> tag, you can find bypasses at the link provided in the comments.