2

I wrote a JQuery tool to preview images before uploads.

  • User A clicks the explore button to select an image
  • selects it
  • a change-event displays the image

If user A selects a prepared SVG image as "greetings_ILL_xss_your_site.svg" or "greetings_ILL_xss_your_site.gif" my JQuery will get the image from tmp dir, resize and display it.

As svg are small programs, and gif can contain scripts:

  • Could it run code that uses XSS scripts?
  • Is the previewed image authenticated to run script requests?
schroeder
  • 123,438
  • 55
  • 284
  • 319
quevedo
  • 121
  • 3

2 Answers2

1

No, there's not. If someone wants to attack one's own machine with JS, devtool's console tab is much easier than crafting a bad svg. XSS is only a problem when malicious code is shared with other users. If the user was unaware the file was malicious, it could present a problem, but it's not yours to deal with.

Furthermore, the origin/protocol context in which a preview image would be displayed (data: or blob:) should protect your site from being reached by a bad image's code anyway (though some zero-days or whatever could be possible).

dandavis
  • 2,658
  • 10
  • 16
  • 1
    What makes you think that the user made the SVG file himself? Someone could share malicious SVG file online. – FINDarkside Jun 22 '18 at 22:06
  • As svg file is executed while rezising, I think It should post the page (xss) to get sensible info – quevedo Jun 22 '18 at 22:54
  • Just now I'm about to test a file using 2 virtual machines, I hope I'l see if i can post the page form the image scripts to other server from a previewed image – quevedo Jun 22 '18 at 22:57
  • 1
    if you display it via an `` tag, svg script/dom is sandboxed from the page. If you display it via an ` – dandavis Jun 23 '18 at 17:51
-1

Yes, Self-XSS can be possible. The user would have to create the exploitable svg/gif by himself or download a compromised one from somewhere.

And if the image's filename is NOT re-encoded and stripped of its EXIF tags/properties, the image created in the tmp directory can be used as a link for Reflected XSS, which is triggered when a victim clicks on the vulnerable link.

As for whether the previewed image is authenticated to run script requests, that depends on how it is read on the page it is being displayed. If it is loaded directly without any CSP protection or re-encoded as I have mentioned above, then it would be possible to run script requests.

isopach
  • 491
  • 1
  • 3
  • 14
  • Using an image in a temp directory for reflected XSS is often impossible. It depends on how the images are stored (temporary images may not be stored in a public directory) and the image format. The OP mentioned gifs and svgs. Gifs can't be used for reflected XSS, and while svg can be used for some servers (it depends on the headers returned by the server) it still requires the attacker to get the end user to click a link, making it a much harder XSS attack than most. – Conor Mancone Aug 17 '19 at 12:27
  • @ConorMancone Gif is just an extension. The filename is still an attack vector. – isopach Aug 21 '19 at 06:05