Hacktivity Highlights: XSS via SVG
Welcome to episode #1 of our Hacktivity Highlights blog series! What the hack is a Hacktivity Highlight? It is recurring blog where we take an interesting publicly disclosed vulnerability report and add our own analysis and thinking to it.
The Finder describes that most dangerous file types, such as HTML files are securely served using the text/plain MIME type. However, the reporter also identified that SVG images were served as-is, allowing possible XSS attacks. While the initial report could have been more clear about why it was a vulnerability in the first place and how it could be remedied, the program owner Scott Arciszewski (@paragonie-scott) did respond quickly and produced a fix within minutes. Scott (jokingly?) made a suggestion to change the MIME type for SVGs to begin with application/ instead of image/. We thought that was an interesting observation and turned to Twitter for a poll. It looks like the community disagrees, but thought it was worth to poll at the least:
@Michielprins Twitter Poll
Now, what can we learn from this finding?
- Never blindly trust user input.This is especially important when working with tricky input such as images; ImageTragick is still too fresh in our memories to trust anything.
- The internet has lots of quirky old stuff that not necessarily every software developer knows about.
If you have an opinion, we encourage you to join the fray on Twitter!
Want to explore other publicly disclosed vulnerability reports? Check out Hacktivity!
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.