Say there is a website example.com. It hosts static content from a CDN, example.

Question

Say there is a website example.com. It hosts static content from a CDN, example.net.

This site allows uploading an image, which will then be served from the CDN. This images can be SVGs and they are not filtered in any way, so they may contain arbitrary HTML content (including script tags).

Would you consider this a security issue?

On the one hand, it allows one to run code if someone accesses the image (say, by clicking on it in the context of example.com). On the other, it only runs under the CDN

Explanation / Answer

Yes, this is a major security vulnerability, but that has nothing to do with XSS.

For example, an attacker might render a fake log-in form and trick your users into handing out their passwords.

The SVG can also be used for a clickjacking attack against yourself or sites which trust you, even if state-of-the-art protection is in action. Standard techniques like the The X-Frame-Options header usually just check the top-level browsing context, and that is your site. So an attacker is likely to be able to embed other pages of your own site or partner sites in a frame and then trick the user into taking actions on those pages.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.