More Firefox JavaScript in Headers
This morning I thought I had a great idea, but it turns out I didn’t. I thought you may be able to include malicious JavaScript into any board that allows images, by modifying the headers to contain JavaScript. It turns out that was a wild goose chace. However, I was able to get JavaScript to render in headers of things like images click here to see the demo (follow the instructions on the page).
I can’t see any simple way to exploit this directly, other than by social engineering people to go to images that look otherwise benign. When images are too small to be seen properly often times people will include a link to enlarge to the original size, and that would allow you to run JS in Firefox through the headers. Anyway, maybe someone else can think of something useful to do with this beyond social engineering.
May 23rd, 2007 at 7:26 pm
It’s quite an interesting idea, although I would presume same-origin policies would prevent the JavaScript from doing anything…
May 23rd, 2007 at 7:40 pm
Yah, I would presume so too. You could do some other stuff, like steal histories, do multiple CSRF or something like that, but yah, it’s got limited practical applications as-is.
May 23rd, 2007 at 8:59 pm
In Internet Explorer 7 it refreshed a whole lot.
May 23rd, 2007 at 11:39 pm
You’re using meta redirects to execute javascript, right?
What I don’t get is the jpg? is the jpg a renamed php?!
Will you post the code?
Thanks
May 24th, 2007 at 2:16 am
Yeah, IE7 will refresh like … forever …
May 24th, 2007 at 2:27 am
Same thing: png image with javascript code in comments. Same limitations…
May 24th, 2007 at 4:00 am
i tried to search the jpg for the javascript. but i didn’t find anything, so how did you get the script working with the picture?
May 24th, 2007 at 8:49 am
I used to do this on my school website.
They had a php-file, that could only include local files. And they also had a photo-album.
I added php into the headers of a PNG and uploaded it using the photo album. They I included it using the php file, and it could run the php in the png file.
~Icky
May 24th, 2007 at 9:13 am
I used an apache alias to point the .jpg name to a .cgi file (most of the header garbage was to make sure it would cache the image instead of re-loading it).
#!/usr/bin/perl
print "Last-Modified: Sun, 05 May 2002 00:57:41 GMT\n";
print "ETag: \"2563b0-67e6-b3d42b40\"\n";
print "Accept-Ranges: bytes\n";
print "Content-Length: 26598\n";
print "Content-Type: image/jpeg\n";
print "Connection: keep-alive\n";
print "Refresh: 0; javascript:alert(\"It’s a trap!\")\n\n";
open (FILE, "../images/itsatrap.jpg") or die "cannot open $!";
print while (<FILE>);
May 24th, 2007 at 10:23 am
There are many sites with forums, comments, etc, that allow IMG tags, but not much else. An attacker could post a link to an image hosted on his site, thus executing JS on all visitors to the page. This could be a launch pad for anti-pinning, etc.
By the way, was Ackbar intended to be a reference to Fark?
May 24th, 2007 at 12:34 pm
It wouldn’t auto-exec unless the user clicked on the image to enlarge it or if they used an iframe tag instead of an img tag to show the image. No, Ackbar was just me making fun of myself setting a trap in an image.
May 24th, 2007 at 12:56 pm
Oh… Duh.
May 25th, 2007 at 1:48 am
excellent example!!
May 28th, 2007 at 11:42 am
This works in Opera 9.21 for refreshing the image. However the alert does not work.
August 11th, 2007 at 6:53 pm
Here’s the header that does it:
Refresh: 0; javascript:alert(”It’s a trap!”)