Cenzic 232 Patent
Paid Advertising
web application security lab

More Firefox JavaScript in Headers

This morning I thought I had a great idea, but it turns out I didn’t. I thought you may be able to include malicious JavaScript into any board that allows images, by modifying the headers to contain JavaScript. It turns out that was a wild goose chace. However, I was able to get JavaScript to render in headers of things like images click here to see the demo (follow the instructions on the page).

I can’t see any simple way to exploit this directly, other than by social engineering people to go to images that look otherwise benign. When images are too small to be seen properly often times people will include a link to enlarge to the original size, and that would allow you to run JS in Firefox through the headers. Anyway, maybe someone else can think of something useful to do with this beyond social engineering.

15 Responses to “More Firefox JavaScript in Headers”

  1. Edward Z. Yang Says:

    It’s quite an interesting idea, although I would presume same-origin policies would prevent the JavaScript from doing anything…

  2. RSnake Says:

    Yah, I would presume so too. You could do some other stuff, like steal histories, do multiple CSRF or something like that, but yah, it’s got limited practical applications as-is.

  3. Awesome AnDrEw Says:

    In Internet Explorer 7 it refreshed a whole lot.

  4. Andrew Says:

    You’re using meta redirects to execute javascript, right?

    What I don’t get is the jpg? is the jpg a renamed php?!

    Will you post the code?

    Thanks

  5. blad3 Says:

    Yeah, IE7 will refresh like … forever …

  6. ethernode Says:

    Same thing: png image with javascript code in comments. Same limitations…

  7. sweetX Says:

    i tried to search the jpg for the javascript. but i didn’t find anything, so how did you get the script working with the picture?

  8. Icky Says:

    I used to do this on my school website.
    They had a php-file, that could only include local files. And they also had a photo-album.

    I added php into the headers of a PNG and uploaded it using the photo album. They I included it using the php file, and it could run the php in the png file.

    ~Icky

  9. RSnake Says:

    I used an apache alias to point the .jpg name to a .cgi file (most of the header garbage was to make sure it would cache the image instead of re-loading it).

    #!/usr/bin/perl
    print "Last-Modified: Sun, 05 May 2002 00:57:41 GMT\n";
    print "ETag: \"2563b0-67e6-b3d42b40\"\n";
    print "Accept-Ranges: bytes\n";
    print "Content-Length: 26598\n";
    print "Content-Type: image/jpeg\n";
    print "Connection: keep-alive\n";
    print "Refresh: 0; javascript:alert(\"It’s a trap!\")\n\n";

    open (FILE, "../images/itsatrap.jpg") or die "cannot open $!";
    print while (<FILE>);

  10. David Says:

    There are many sites with forums, comments, etc, that allow IMG tags, but not much else. An attacker could post a link to an image hosted on his site, thus executing JS on all visitors to the page. This could be a launch pad for anti-pinning, etc.

    By the way, was Ackbar intended to be a reference to Fark?

  11. RSnake Says:

    It wouldn’t auto-exec unless the user clicked on the image to enlarge it or if they used an iframe tag instead of an img tag to show the image. No, Ackbar was just me making fun of myself setting a trap in an image.

  12. David Says:

    Oh… Duh.

  13. Sergey Vzloman Says:

    excellent example!!

  14. Shadam Says:

    This works in Opera 9.21 for refreshing the image. However the alert does not work.

  15. Jackmcbarn Says:

    Here’s the header that does it:

    Refresh: 0; javascript:alert(”It’s a trap!”)