# SVG SSRF Cheatsheet Hosts that process SVG can potentially be vulnerable to SSRF, LFI, XSS, RCE because of the rich feature set of SVG. All of these methods specify a URI, which can be absolute or relative. File and HTTP protocol are important to test, but it could also support other protocols depending on the implementation (e.g. PHP stream schemes), including javascript: and data:. This document contains a list of all the ways I know about to abuse this functionality in SVG. Note that some services that claim to not accept SVG as an input format actually do with a little coaxing. * For uploads, send a JPEG/PNG mime type and filename. * For downloads, have a JPEG/PNG filename and mime type. If refused, check for TOCTOU on the URL (double fetch) and if it follows redirects. * I haven't seen it but Mime sniffing confusion is probably also possibleMime sniffing confusion as SVG is difficult to sniff because it can start with extra XML garbage. In fact, AFAICT the standard `file` command doesn't include any SVG magic, so it's likely up to the individual implementations. # Images SVG can include external images directly via the `` tag. ``` xml ``` Note that you can use this to include *other SVG* images too. # The `` tag SVG can include external SVG content via the `` tag. file1.svg: ``` xml ``` file2.svg: ``` ``` # CSS ## CSS Stylesheet `` SVG can include external stylesheets via the `` tag, just like html. ``` xml ``` ## CSS stylesheet via `@include` ``` xml ``` ## CSS Stylesheet via `` ``` xml ``` # XSLT SVGs can include XSLT stylesheets via ``. Surprisingly, this does seem to work in chrome. ``` xml ``` ``` xml ``` Note: due to the nature of XSLT, the input doesn't actually *have* to be a valid SVG file if the xml-stylesheet is ignored, but it's useful to bypass filters. Also, Because I have no interest in learning XSLT, this template just wholesale replaces the entire "old" image with the new one. # Javascript ## Inline SVG can natively include inline javascript, just like HTML. ``` xml ``` ## External SVG can also include external scripts. ``` xml ``` ## Inline in event SVG can also have inline event handlers that get executed onload. ``` xml ``` You can also bind handlers to animations and some other events. Read the SVG spec. # XXE Because SVG is XML, it can also have XXEs: ``` xml ]> ``` # `` The `` tag is insane. It can be used to include arbitrary (X)HTML in an SVG. For example, to include an iframe: ``` xml