06-16-2020, 03:06 AM
XSS through Exif headers
Credits: Rouge Coder @ IntoSec
So, cross-site scripting is nothing new to people, but most people think that just because a website doesn't have any visible xss vulnerabilities through forms, or url parameters doesn't mean that it's not vulnerable. In this tutorial I'm going to explain how you can take advantage of Exif headers to inject xss payloads.
What is Exif?
Wikipedia Wrote:Exchangeable image file format (Exif, often incorrectly EXIF) is a standard that specifies the formats for images, sound, and ancillary tags used by digitalcameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.
Through the Exif headers we can get and display information like camera model, make, arbitrary comments, shutter speed,date, and much much more.
So, how do we hack sites using these headers?
It's really a very easy process. The first thing to do is to find a website that actually display information from theseheaders. You then need to gather some information about which Exif headers it display's. This can be done by looking atother pictures on the site. When this is done it's time to rock and roll.
In this tutorial I will use the camera model header
Get a tool that can modify the Exif headers. I'm using Linux, so I'm using the exiftool from the terminal. To modify the header I do this.
Code:
exiftool "-model=NIKON D80<script>alert('xss')</script>" image.jpg
which produces the output
Code [No Highlight]:
1 image files updated
Now to verify that the malicious content actually made it into the header I do this
Code:
strings image.jpg | grep alert
which will output
Code [No Highlight]:
NIKON D80<script>alert('xss')</script>
Now that you have your infected image you need to get i onto the site. Either you can upload it yourself, or you will need todo some social engineering to get a person with upload permission to upload your image.
When someone now visits the infected image, and the developer haven't done his job properly sanitizing and filtering input/output, your payload will execute.
Conclusion
This is a reminder that anything that comes from a user can be tampered with. As long as the user controls the data, the application must never trust it.
I hope you found this useful
- Happy hacking!