> For the complete documentation index, see [llms.txt](https://www.webhackingtips.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.webhackingtips.com/week-44-svg-ssrf.md).

# Week 44 - SVG SSRF

Looking for another way of exploiting Server-Side Request Forgery?\
 \
Many [#AppSec](https://www.linkedin.com/feed/hashtag/?keywords=appsec\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6999064415689965568) testers are already familiar with server-side HTML rendering, and how an \<iframe> can be used to access internal resources or local files. But did you know this is also possible through exporting SVG images?\
&#x20;\
This is due to the handy \<foreignObject> tag, which essentially allows you to add HTML to the SVG image. Assuming the server is rendering the SVG image, you can add an iframe and link to internal hosts/files like so:\
&#x20;\
`<svg width="1000" height="1000">`\
&#x20;\
&#x20;`<foreignObject width="1000" height="1000">`\
&#x20;\
&#x20;  `<iframe style="width:100%;height:100%;" src="file[:]///etc/passwd"/>`\
&#x20;\
&#x20;`</foreignObject>`\
&#x20;\
`</svg>`\
&#x20;\
If the server is blocking the \<foreignObject> tag, you can find bypasses at the link provided in the comments.

![](/files/0kjpkWVgXpVtGKABQu3t)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/week-44-svg-ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.