In the evolving landscape of cybersecurity, attackers are increasingly exploiting Scalable Vector Graphics (SVG) files to embed malicious scripts, posing significant challenges for security professionals. To address this threat, HackingLZ has developed the SVG Security Analysis Toolkit, a comprehensive suite of Python-based tools designed to detect and analyze hidden scripts within SVG files, thereby enhancing defensive capabilities against such sophisticated attacks.
Understanding the Threat:
SVG files, widely used for web graphics due to their scalability and support for interactivity, have become a vector for cyberattacks. Malicious actors embed obfuscated scripts within these files, which can execute harmful code when rendered in browsers. Traditional security measures often struggle to detect these threats due to the complexity and legitimate appearance of SVG files.
Toolkit Overview:
The SVG Security Analysis Toolkit comprises four primary components, each serving a specific function in the detection and analysis of malicious content within SVG files:
1. extract.py – Static SVG URL Extractor:
This tool performs pattern-based analysis without executing any code, ensuring a safe examination of SVG files. It automatically detects and decodes various obfuscation techniques, including:
– XOR-Encrypted Payloads: Identifies scripts using `String.fromCharCode` patterns.
– Base64-Encoded URLs: Extracts URLs from data URIs.
– Character Arithmetic Schemes: Deciphers scripts employing `parseInt` and XOR loops.
Usage Example:
To analyze an SVG file named `malicious.svg` and display verbose output:
“`bash
python3 extract.py -i malicious.svg -v
“`
2. extract_dynamic.py – Dynamic JavaScript Execution:
Leveraging the `box-js` sandbox, this tool safely executes embedded JavaScript within SVG files to capture the final constructed URLs. Key features include:
– Advanced Hook System: Monitors functions like `location.assign()`, `window.open()`, and AJAX calls.
– Final URL Prioritization: Distinguishes complete URLs from partial fragments.
– ActiveX/WScript Support: Monitors Windows-specific scripts.
Usage Example:
To dynamically analyze an SVG file and output results to a specified directory:
“`bash
python3 extract_dynamic.py -i malicious.svg -o results/
“`
3. cf_probe.py – Cloudflare Protection Detection:
This component scans HTTP and meta-refresh redirects to identify Cloudflare challenges, aiding in the detection of protective mechanisms that may hinder further analysis. It reports:
– Turnstile Challenges: Identifies `data-sitekey` attributes.
– JavaScript Analysis: Scans for reCAPTCHA or custom CAPTCHA systems.
– CF Headers: Reports headers like `CF-Ray` and DDoS protection messages.
Usage Example:
To probe a list of URLs for Cloudflare protections:
“`bash
python3 cf_probe.py -i urls.txt
“`
4. encoder.py – SVG Test Case Generator:
This tool generates realistic obfuscated SVG samples to validate detection pipelines, supporting six obfuscation patterns, including:
– XOR + ES6 Proxy
– Hex-Encoded Function Constructor
– Data URI Scripts
Usage Example:
To generate random test cases and output them to a directory:
“`bash
python3 encoder.py –random-all -o test_cases/
“`
Recommended Analysis Workflow:
For comprehensive analysis and maximum coverage, HackingLZ recommends the following sequence:
1. Generate Test Cases:
“`bash
python3 encoder.py –random-all -o test_cases/
“`
2. Static Analysis:
“`bash
python3 extract.py -i test_cases/.svg -v
“`
3. Dynamic Analysis:
“`bash
python3 extract_dynamic.py -i test_cases/ -o dynamic_results/
“`
4. Protection Verification:
“`bash
python3 cf_probe.py -i malicious_urls.txt
“`
Conclusion:
The SVG Security Analysis Toolkit empowers cybersecurity professionals to detect and analyze malicious scripts hidden within SVG files effectively. By combining static and dynamic analysis, protection detection, and test case generation, this toolkit provides a robust defense against the growing threat of SVG-based attacks. Implementing this toolkit into security workflows enhances the ability to identify and mitigate sophisticated threats, ensuring a more secure digital environment.
