Explore the security implications of Scalable Vector Graphics (SVG) on the World Wide Web in this comprehensive conference talk. Delve into the powerful features of SVG, including its vector-based structure, XML format, and additional modules like animations and scripting APIs. Examine the potential risks associated with SVG implementation, such as script code execution and cross-domain content inclusion. Learn about various SVG-related concepts, including SVG Tiny, inline SVG, and SVGz, and their relevance to security professionals. Discover examples of malicious SVGs and gain insights into a novel filtering tool for sanitizing SVG images without compromising content integrity. Understand the impact of HTML5 on SVG usage and the security considerations for web developers and browser vendors when working with this versatile image format.
Overview
Syllabus
Intro
SVG
SVG history
SVG example
SVG family
SVG features
Tiger
Examples
Deployment methods
Security boundaries
JavaScript execution
Attack pattern
Inline SVG
Abuse scoping
History of SVG flaws
Perfect SVG chameleon
Oprah
Testing
Firefox
Taught by
Hack in Paris
