SVG: Exploiting Browsers without Image Parsing Bugs

Presented at Black Hat USA 2014, Aug. 7, 2014, 2:15 p.m. (25 minutes).

SVG is an XML-based format for vector graphics. Modern web browsers support it natively and allow it to be styled using CSS and manipulated using JavaScript. It is less well-known that SVG can contain its own JavaScript and can import external scripts and stylesheets. Consequently, from a browser security perspective, SVG must be treated like HTML; treating it like JPEG will lead to great suffering.

Presenters:

• Rennie deGraaf - iSEC Partners
  Rennie deGraaf is a security consultant with iSEC Partners, a strategic digital security organization.In the past, he has worked as a software developer at Microsoft, a researcher at the University of Calgary, and a system administrator at Industrial Defender (back when it was still Verano). He has a MSc in Computer Science specializing in network security, specifically firewalling tricks such as port knocking and SPA.

Links:

• https://www.blackhat.com/us-14/archives.html#svg-exploiting-browsers-without-image-parsing-bugs
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/SVG - Exploiting Browsers without Image Parsing Bugs.mp4
• https://www.youtube.com/watch?v=dxL0570oDIg
• https://www.blackhat.com/docs/us-14/materials/us-14-DeGraaf-SVG-Exploiting-Browsers-Without-Image-Parsing-Bugs.pdf

Similar Presentations:

• Black Hat USA 2013 / Million Browser Botnet