Cenzic 232 Patent
Paid Advertising
web application security lab

Image Upload XSS

I’ve talked about this before but I thought I should actually make a tool to make this attack more practical. But one thing I have seen a number of times, is places that upload images, and even check to make sure they are valid but don’t rename them to make sure that the file names themselves aren’t malicious. Well I finally created a tool to help with this type of testing. Here’s an example of something you might test for:

<IMG SRC="$filename">

So you upload this file:

http://ha.ckers.org/image-xss/"onerror="alert('XSS')"a=".jpg

This ends up making the page look like:

<IMG SRC=""onerror="alert('XSS')"a=".jpg">

So I built that script at /image-xss/ to allow anything after it to render with a valid (small) image that will pass any validation algorithms. So this may only have questionable applications but it is something I haven’t see any of the scanning vendors do. The moral of the story is make sure if you do allow uploads that you rename them to something safe. Nuff said.

6 Responses to “Image Upload XSS”

  1. Katy G. B. Says:

    pass any validation algorithms

    like so not true,

    any decent algorithm first ’should prolly rename’(though that’s a pointless debate. yeah its a quick, simple step and should be done. but any _decent_ algorithm will clean &validate any &all data that is coming from a user, but it should also clean any output its generating that’s come _from_ user input. so yeah, like any decent algorithm(even with renaming) would result in your lil image showing up.

    i know most web app security sucks… but not all of it does. input &output both need to be sanitized for user display. even with out the sec worries just displaying any image named like that is horrible code. there’s a reason raw_url_de/encode() exist.

    –cause i’m lazy, to the next post–
    i story it, i validate it, i serve it…. filename should always be compatible with mimetype(and not the crappy post header). like there are reasons php has functions to verify. mimetypes don’t match(reasonably) i don’t care: its so not getting through. and if it does its only hanging out long enough to get stuff in a blob bag(db column).

    i’m new hear, so maybe its just that since like i’ve been hacking, designing, &creating since have 12 colors was like the coolest. i hated the hell i lived in; that turned me to bbs… and vms and a different world. but more an more i’m glad i was so ‘connected’(online), just to detach from the ‘real’.

    funny huh? how its like former escapisms are becoming &actually like proving to be, valuable skills. even if it means that a good online app takes as long(if not longer) to fully deploy than an offline one. which i’d argue they do, like take possibly longer i mean.

    frameworks be damned, like i mean if i did write it, i’m prolly not gonna run it… def like not until i’ve read &understand it… and that so like totally means _all_ of it. i mean i love being an internet artist(in graphics, code, &dba-yeah like this girl does it all &i love it). but when i hear people talk about ‘faster’ design, roll out, implementation, or whatever as reason to use web 2.0 software it like seriously makes me cringe. if it is faster to make, its faster to break… oh goddess… i don’t even want to think about how many things must be so just so seriously wrong.

    i mean like not one designer who knew crup about security would want to implement them anyways, but i could keep babbling about this for hours. but seriously like who would want to be the poor person to have to ‘implement’ even just say, like ‘rails’…. not me, as kinky as i can be; even i’m not that big enough of a masochist. and the perl scripter’s who import and use cpan modules like air freshener. there are like tons of systemic problems with most only &even offline code. basically, like i’ve learned it just seems to be the focus of the passions of the designer.

    i blame the schools… lol, actually i kinda do. them & the companies who push for ‘rapid deployment’). but like yeah, i’m done writing about incorrect(i’m not saying intentionally bad) code… its much more fun to write my own safe, secure, stable, & pretty :) code.

    take care &great site… i’ll be back(if you don’t mind my ranting &babbling). but by the goddess i want to get my project done(one year+, one hand, about 70% to version 00.000F… *w00t&giggles*; *hugs&take care*

  2. RSnake Says:

    When I said “pass any validation engines” I meant the image, not the filename. I would hope that image passes them because it’s 100% valid and small enough not to get stopped by any height/width constraints. If you meant it wouldn’t pass because of the name, that’s the tester’s problem, not a problem with the image, which was my point. Sorry if that wasn’t clear.

  3. Anders Moen Says:

    Thanks for this. I didn’t know there was XSS holes like that. Thank you :)

  4. someone Says:

    It’s is not possible to create files with filename that contains qoutes and more…

    how did you create filename that contains qoute?!

  5. Vinicius K-Max Says:

    @someone

    try a bash/perl/C/php script :)

  6. Nos Says:

    another reason to store images in a database so it sounds, an auto-increment id is likely to not cause xss trouble :P