# SVG SSRF Cheatsheet All of these methods specify a URI, which can be absolute or relative. File and HTTP protocol are important to test, but it could also support other protocols depending on the implementation (e.g. PHP stream schemes), including `javascript:` and `data:`. This document contains a list of the ways about to abuse this functionality in SVG files. {% hint style="info" %} Note that some services that claim to not accept SVG as an input format actually do with a little coaxing. {% endhint %} * For uploads, send a JPEG/PNG mime type and filename. * For downloads, have a JPEG/PNG filename and mime type. If refused, check for TOCTOU on the URL (double fetch) and if it follows redirects. * Mime sniffing confusion is probably also possible. Mime sniffing confusion as SVG is difficult to sniff because it can start with extra XML garbage. In fact, the standard `file` command doesn't include any SVG magic, so it's likely up to the individual implementations. ## Images SVG can include external images directly via the `` tag. {% code overflow="wrap" lineNumbers="true" %} ```xml ``` {% endcode %} Most simple: {% code overflow="wrap" lineNumbers="true" %} ```xml ``` {% endcode %} URL Encoded: {% code overflow="wrap" lineNumbers="true" %} ```xml ``` {% endcode %} {% hint style="info" %} Note that you can use this to include *other SVG* images too. {% endhint %} ## The `` tag SVG can include external SVG content via the `` tag. ### Option 1: {% code overflow="wrap" lineNumbers="true" %} ```xml ``` {% endcode %} ### Option 2: {% code overflow="wrap" lineNumbers="true" %} ```xml ``` {% endcode %} ### Option 3 {% code overflow="wrap" lineNumbers="true" %} ```xml ``` {% endcode %} ## CSS ### CSS Stylesheet `` SVG can include external stylesheets via the `` tag, just like html.

<svg width="100%" height="100%" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
<link xmlns="http://www.w3.org/1999/xhtml" rel="stylesheet" href="http://example.com/style.css" type="text/css"/>
<circle cx="50" cy="50" r="45" fill="green" id="foo"/>
</svg>

### CSS stylesheet via `@include` {% code overflow="wrap" lineNumbers="true" %} ```xml ``` {% endcode %} ### CSS Stylesheet via `` {% code overflow="wrap" lineNumbers="true" %} ```xml ``` {% endcode %} ## IP in Hexadecimal ```xml ``` ## Redirect with data URI {% code overflow="wrap" %} ```xml ``` {% endcode %} ## XSLT SVGs can include XSLT stylesheets via ``. Surprisingly, this does seem to work in chrome. ```xml ``` ```xml ``` {% hint style="info" %} Note: due to the nature of XSLT, the input doesn't actually *have* to be a valid SVG file if the xml-stylesheet is ignored, but it's useful to bypass filters. {% endhint %} Also, because this template just wholesale replaces the entire "old" image with the new one. ## Javascript ### Inline SVG can natively include inline javascript, just like HTML. ```xml ``` ### External SVG can also include external scripts. ```xml ``` ### Inline in event SVG can also have inline event handlers that get executed onload. ```xml ``` You can also bind handlers to animations and some other events. Read the SVG spec. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pcastagnaro.gitbook.io/pentest-bug-bounty-resources/pentest-bounty-resources/web/ssrf-and-xxe/svg-ssrf-cheatsheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.