1

I'm testing my application for security vulnerabilities. I've inserted javascript in a gif and uploaded it into the application. The application loads the image in <img> tag. The script gets executed only if the image is given as source in <script>. Is there any other way to load the script in the image?

Malvo
  • 21
  • 2
  • Do you have control over the mime type or extension? Or do you just have the ability to upload an arbitrary file that is then treated as an image / GIF? Any validation on the fle? – Egret Feb 18 '18 at 17:03
  • No, I don't have any control over its type. I just upload the file. The application does an extension check as well as a content type check before it accepts the file. – Malvo Feb 19 '18 at 03:37
  • XSS can occur if user does a right click over the image, and "open image in a new tab" or so. In such case, the GIF will be opened in a new tab, and if it's containing HTML code, then browser might sniff it as HTML and interpret it in the new tab. To avoid this, `X-Content-Type-Options: nosniff` + HTTP response `Content-Type: image/gif` + putting images on a separate domain + setting some strict `Content-Security-Policy: default 'none'` can mitigate the attack. – Xenos Jun 26 '18 at 10:10

2 Answers2

3

Historically, it has been possible, such as the GIFAR malware case from over a decade ago.

But as of now with modern web browsers, there is no way. It has been patched to prevent polyglot images from being executed at will. <img> will only read and output the image as an image, regardless of the Content-Type of the page itself (it used to take precedence).

However, you might want to know that it might be possible to do an XML injection using an svg file. XSS will not be possible as long as you stick to the <img> tag, but XXE can occur.

isopach
  • 491
  • 1
  • 3
  • 14
  • 1
    And even with SVG or XML-based image format (if there are others than SVG, which I'm not aware of), then browser might still not execute the dynamic javascript content – Xenos Jun 26 '18 at 10:08
1

Its difficult in current browsers to get a browser to execute javascript when its served up in another mime type / embedded in an image tag.

IE may be vulnerable if you allow access to the image directly (try the direct URL) and aren't leveraging the "nosniff" headers: "X-Content-Type-Options: nosniff" header

But there are a lot of things you need to worry about if allowing untrusted content to be uploaded. See Does X-Content-Type-Options really prevent content sniffing attacks? for a good summary of the issues with allowing file uploads to your site.

Best practice - if you can, serve user content from a separate domain.

Egret
  • 436
  • 3
  • 5