logo   Downloads About Contact

Bypassing script filtering in firewall appliance solutions

In professional environments appliance web proxy firewalls are state of the art to protect PCs from malicious content. Depending on the level of mitigation, some of these appliance solutions divert-filter all active content like flash and scripting code out of the HTML content transferred.

While reading a course on SVG I stumbled upon the scripting support of SVG, and then an idea came to my mind: Well, if SVG is interpreted as HTML code in modern browsers, and SVG also supports active content using JavaScript, why not use it to bypass script filtering. As you might already assume: it seems that some vendors lack filtering out scripts in SVG, so it it could be possible to inject evil code into protected systems by just using SVG and forcing a target to open such an image, e.g. though a watering-hole attack. Some of these appliance solutions perfectly filter out scripting code from HTML, but fail to do so with SVG.

I do not want to publish a list of vulnerable manufacturers, you can try it yourself. I have created a JavaScript SVG PoC, so you can try to open from your protected environment and can instantly see if active code is still getting executed - even if e.g. JavaScript usually gets filtered out by your firewall appliance. The PoC shows a smiley, if you click onto the image, the embedded JavaScript shows a message box.

If you have any questions, please do not hesitate and contact me.