High Severity

Attachment: Embedded Javascript in SVG file

Description

Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.

Sublime Security
Created Aug 17th, 2023 • Last updated Jun 2nd, 2025
Source
type.inbound
and any(attachments,
        (
          (
            .file_extension in~ ("svg", "svgz")
            or .content_type in~ ("image/svg+xml")
          )
          and (
            strings.ilike(file.parse_text(.,
                                          encodings=[
                                            "ascii",
                                            "utf8",
                                            "utf16-le"
                                          ]
                          ).text,
                          "*onload*",
                          "*window.location.href*",
                          "*onerror*",
                          "*CDATA*",
                          "*<script*",
                          "*</script*",
                          "*atob*",
                          "*location.assign*",
                          "*decodeURIComponent*"
            )
            or regex.icontains(file.parse_text(.,
                                               encodings=[
                                                 "ascii",
                                                 "utf8",
                                                 "utf16-le"
                                               ]
                               ).text,
                               '<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
            )
            or any(beta.scan_base64(file.parse_text(.).text,
                                    encodings=["ascii", "utf8", "utf16-le"]
                   ),
                   strings.ilike(.,
                                 "*onload*",
                                 "*window.location.href*",
                                 "*onerror*",
                                 "*CDATA*",
                                 "*<script*",
                                 "*</script*", 
                                 "*atob*",

                                 "*location.assign*",
                                 "*decodeURIComponent*"
                   )
            )
          )
        )
        or (
          (
            .file_extension in $file_extensions_common_archives
            or .file_type == "gz"
            or .content_type == "application/x-gzip"
          )
          and any(file.explode(.),
                  (
                    .file_extension in~ ("svg", "svgz")
                    or .flavors.mime == "image/svg+xml"
                  )
                  and any(.scan.strings.strings,
                          strings.ilike(.,
                                        "*onload*",
                                        "*window.location.href*",
                                        "*onerror*",
                                        "*CDATA*",
                                        "*<script*",
                                        "*</script*",
                                        "*atob*",
                                        "*location.assign*",
                                        "*decodeURIComponent*"
                          )
                  )
          )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.