[Tutorial] XSS through Exif headers
#1
XSS through Exif headers

Credits: Rouge Coder @ IntoSec

So, cross-site scripting is nothing new to people, but most people think that just because a website doesn't have any visible xss vulnerabilities through forms, or url parameters doesn't mean that it's not vulnerable. In this tutorial I'm going to explain how you can take advantage of Exif headers to inject xss payloads.

What is Exif?

Wikipedia Wrote:Exchangeable image file format (Exif, often incorrectly EXIF) is a standard that specifies the formats for images, sound, and ancillary tags used by digitalcameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.

Through the Exif headers we can get and display information like camera model, make, arbitrary comments, shutter speed,date, and much much more.

So, how do we hack sites using these headers?

It's really a very easy process. The first thing to do is to find a website that actually display information from theseheaders. You then need to gather some information about which Exif headers it display's. This can be done by looking atother pictures on the site. When this is done it's time to rock and roll.

In this tutorial I will use the camera model header

Get a tool that can modify the Exif headers. I'm using Linux, so I'm using the exiftool from the terminal. To modify the header I do this.

Code:
exiftool "-model=NIKON D80<script>alert('xss')</script>" image.jpg

which produces the output
Code [No Highlight]:

1 image files updated

Now to verify that the malicious content actually made it into the header I do this
Code:
strings image.jpg | grep alert

which will output
Code [No Highlight]:

NIKON D80<script>alert('xss')</script>

Now that you have your infected image you need to get i onto the site. Either you can upload it yourself, or you will need todo some social engineering to get a person with upload permission to upload your image.

When someone now visits the infected image, and the developer haven't done his job properly sanitizing and filtering input/output, your payload will execute.

Conclusion

This is a reminder that anything that comes from a user can be tampered with. As long as the user controls the data, the application must never trust it.

I hope you found this useful
- Happy hacking!
Reply
#2
I never knew that exif headers a vulnerable to malicious js code. Learnt something new.
Thank you for posting it here.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] PHP CGI exploit Insider 0 1,479 06-16-2020, 11:34 AM
Last Post: Insider
  [Tutorial] Request header MySQL injection using netcat and burp suite Insider 0 1,511 06-16-2020, 02:53 AM
Last Post: Insider
  [SSI] Server-Side Includes Injection. [Tutorial] Insider 4 3,788 03-27-2020, 04:55 PM
Last Post: Insider
  Guide to XSS (Examples included) NO-OP 3 14,355 04-29-2019, 12:44 PM
Last Post: mhiats37