The pictures we upload online are something we tend to think of as self-expression, however these very images can carry code to steal our passwords as well as data. Profile pictures, avatars, as well as image galleries are used all over the internet. While all images carry digital picture data — as well as many also carry metadata regarding camera or photo edits — the item’s far less expected in which an image might actually be hiding malicious code.
How is actually Hiding Code in an Image Possible?
Files are generally structured in a few different parts. Image files, for instance, generally begin with some declaration of the type of image file data present. This specific is actually usually something like a “Start of Image” marker, a sequence or number which indicates what is actually going to follow the item. GIF files begin with GIF87a or GIF89a when viewed as ISO 8859-1 encoding, or “47 49 46 38 37 61” in hexadecimal.
These signatures are followed by data which corresponds to the arrangement as well as coloring of pixels from the image. This specific data, when enclosed in an image file, is actually enough to create a usable bitmap image. However, in addition to This specific visible image data, following the end of the image data, metadata such as EXIF can be inserted following an application marker segments. After these points, the image data has been both opened as well as closed with defined indicators, as well as anything after This specific data will not be processed as an image.
Metadata is actually generally only visible to the user when the item’s specifically parsed, as well as from the same way, hidden code will only be visible to a program which is actually looking for code to run. While This specific data often contains camera information, location data, or similar information related to the photograph itself, the item could also be stuffed with another file, or in This specific case, executable code.
Despite the hidden content included in an image file, the item still behaves as a standard image as the opening as well as closing components of the image content are sufficient for image-viewing programs to interpret as well as effectively display the image.
from the same way, when a website is actually told to look for a certain type of script, the item will at least attempt to run, or look for something the item can use for the action the item is actually instructed to do. If This specific script is actually an image file rather than a text file, the website will be able to run the script so long as the item can find the opening as well as closing elements of the code.
How Can This specific Technique Be Used?
Websites such as forums, hosting sites, or different sites with user-generated content often allow for the uploading of images as well as posting of text or media content.
In certain cases, HTML script tags will be permitted, perhaps a widget available for users to add to their posts or pages. A script tag may be able to be inserted where the item should not have been due to a lack of form verification, often by using an escape tag like the HTML textarea property… however even if not, you’ll be able to host your own web page in which sources scripts coming from different pages, as well as if those scripts try to access cookies coming from the domain they’re hosted on, they’ll be granted access.
Step 1: Downloading & Installing Imagejs
Let’s begin by cloning the git repository for the project. The commands in these examples are entered in a Kali Linux terminal environment.
git clone https://github.com/jklmnn/imagejs
After cloning the repository, we move into the directory with the following command.
Finally, to compile the program, we simply run:
We can save This specific text as the filename of our choice, or directly send the item to script.js with the following command line string.
echo “window.alert(“Null Byte”);” > script.js
Once we have both the code we would likely like to embed as well as the image we would likely like to add the code to, we can embed them using the following parameters. The script in This specific example is actually titled “script.js” as well as the image “image.jpg” — both of which are from the same directory as the imagejs program, as we can confirm by running ls.
The syntax begins with running the program, imagejs. The first argument, in This specific case gif, indicates the file type. The second argument refers to the script we are using, as well as the final argument following the -i flag is actually the image we wish to modify.
./imagejs gif script.js -i image.gif
The name of the output file. in This specific case. will be “script.js.gif.” However, we can rename the item to whatever we choose.
To test the functionality of the script image, let’s create an HTML test page with opening as well as body tags.
We can save This specific file as “script.html” or the filename of our choice. When we open the item in a browser, the item should look like the following image.
The <img> tag has been included in order to demonstrate in which the GIF image is actually still entirely functional as an image, however the item could be omitted as well as the script would likely still run.
Serving This specific coming from a file works as file systems don’t specify file mime types. Most modern web servers will specify a mime type for the files the item serves based on the file extension. If This specific is actually the case as well as the web server specifies an image mime type (such as image/gif), modern browsers will not attempt to execute the script as image mime types are not executable.
The following command will attempt to dump write cookies to the served up web-page. These cookies may be able to be used to impersonate users by stealing their authentication tokens. right now, obviously simply writing them to their browser isn’t going to get them to you (you’ll have to write a script to quietly post them to your own server), however This specific will serve as a simple proof of concept:
document.write(‘cookie: ‘ + document.cookie)
Finally, in order to deploy the attack, we need to find somewhere to upload our image as well as either another field in which’s vulnerable to XSS attacks where we are able to escape input verification as well as use a <script> tag, or (more easily) load the image (as a script) coming from our own phishing webpage. from the example below, we uploaded our avatar, 1337.gif, as well as following a </textarea> exit tag, we enclose the item in script tags. After This specific, anyone who views This specific profile will have their cookies dumped to their browser window. Replace the script above with one in which silently posts the values of document.cookie to a server of your choosing, as well as you’ve got your self a silent credential thief.
Step 7: Defending Against the Attack