Week 44 - SVG SSRF
Last updated
Last updated
Looking for another way of exploiting Server-Side Request Forgery?
Many #AppSec testers are already familiar with server-side HTML rendering, and how an <iframe> can be used to access internal resources or local files. But did you know this is also possible through exporting SVG images?
This is due to the handy <foreignObject> tag, which essentially allows you to add HTML to the SVG image. Assuming the server is rendering the SVG image, you can add an iframe and link to internal hosts/files like so:
<svg width="1000" height="1000">
<foreignObject width="1000" height="1000">
<iframe style="width:100%;height:100%;" src="file[:]///etc/passwd"/>
</foreignObject>
</svg>
If the server is blocking the <foreignObject> tag, you can find bypasses at the link provided in the comments.