JS via Images

Recently I saw an awesome research by Ange Albertini in abusing a GIF file and injecting JS inside. You can download his code from here The following code is a custom made gif , yet abused by our JS payload.

You can compile the code using yasm.

Once you give the source as the compiled gif it will be interpreted by the browser.

Can we inject it into legit images? Yes, we can inject it into both gif and bmp images.
In gif images the header would be GIF87a, so if we add GIF87a/*image data*/=1;alert(2); it will be considered as a JS variable and the image data would be commented out, hence it will be nicely interpreted.

The same can be applied to bmp images as well 🙂 BM/*image data*/=1;alert(2);
Here is a small application which I’ve written to inject JS into legit gif and bmp images.

https://github.com/OsandaMalith/ImageExploiter/blob/master/imgexploiter.c


Create a new HTML page to test this as


Our payload is nicely placed at the end of image file like this

You could always obfuscate the code 😉

This might come in handy when you are pentesting in scenarios where there is a Content Security Policy (CSP) which would deny you to load external sources and if the application has file upload features with a WYSIWYG editor, you could exploit this weakness in gif and bmp 🙂

I’d be very grateful to Dimitrios Kalemis for his continuous support in my journey to low level 🙂

Here is a short demo

http://seclist.us/imageexploiter-hide-your-js-payload-inside-a-gif-or-bmp-image.html

8 thoughts on “JS via Images

  1. compiled this in VS2013 and it compiles and runs, created both a gif and bmp to test with, both display as images correctly but neither run as scripts on the page. Tested in latest IE and Chrome.

    Seems to look correct in the file as well, I see the end comment */ and then the =1, and then ;alert(1);, tried prompt and javascript:alert(1);, nothing seems to work.

Leave a Reply