TL;DR
Yes, an XXE (XML External Entity) attack can be carried out from within an SVG file. SVGs are XML-based and therefore vulnerable if external entities aren’t properly sanitised. This allows attackers to read local files or potentially interact with internal systems.
How it Works
SVG (Scalable Vector Graphics) files use XML to define vector images. XML External Entities allow you to include data from other sources within an XML document. If the SVG parser doesn’t disable external entity processing, attackers can exploit this feature.
Steps to Exploit and Mitigate
- Understand XXE Basics: An XXE attack injects malicious XML code into a parser that processes XML documents. The goal is usually to read sensitive files on the server or interact with internal systems.
- A basic XXE payload looks like this:
<?xml version="1.0" encoding="ISO-8859-1"?> ] <foo>&xxe; - Create a Malicious SVG File: Craft an SVG file containing the XXE payload. The key is embedding the XML declaration and entity definition within the SVG structure.
<svg width="100" height="100"> <?xml version="1.0" encoding="ISO-8859-1"?> ] <foo>&xxe; </svg> - Upload or Process the SVG: Upload the malicious SVG file to a vulnerable application. This could be through a web form, an image processing service, or any other mechanism that parses SVGs.
- Trigger Parsing: Ensure the application actually processes the XML content of the SVG file. Some applications may only use the visual rendering and not parse the underlying XML.
- Check for File Disclosure: If successful, the XXE attack will return the contents of the specified file (e.g., /etc/passwd in the example above) within the application’s response. Look at the HTTP response or any error messages generated by the parser.
- Mitigation – Disable External Entities: The most effective way to prevent XXE attacks is to disable external entity processing entirely in your XML parsers.
- For PHP: Use
libxml_disable_entity_loader(true);before parsing any XML.
<?php libxml_disable_entity_loader(true); $xml = simplexml_load_string($svgContent); // Process $xml... ?> - For PHP: Use
- For Python (lxml): Configure the parser to disallow external entities.
from lxml import etree parser = etree.XMLParser(resolve_entities=False) tree = etree.fromstring(svgContent, parser) // Process tree... - For Java: Configure the XMLInputFactory to disable external entities.
XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, false); XMLReader reader = factory.createXMLReader(); // Process reader... - Mitigation – Input Validation: While not as robust as disabling entities, you can attempt to validate the SVG content and remove or escape potentially malicious XML code.
- Content Security Policy (CSP): Implement a strict CSP that restricts the sources from which resources are loaded. This can help prevent attackers from injecting malicious SVGs in the first place.
Important Considerations
- XXE attacks aren’t limited to file disclosure; they can also be used for Server-Side Request Forgery (SSRF) and denial of service.
- Always keep your XML parsing libraries up to date, as vulnerabilities are often discovered and patched.
- Test any application that processes XML files for XXE vulnerabilities regularly.