I’ve talked about this before but I thought I should actually make a tool to make this attack more practical. But one thing I have seen a number of times, is places that upload images, and even check to make sure they are valid but don’t rename them to make sure that the file names themselves aren’t malicious. Well I finally created a tool to help with this type of testing. Here’s an example of something you might test for:
So you upload this file:
This ends up making the page look like:
So I built that script at /image-xss/ to allow anything after it to render with a valid (small) image that will pass any validation algorithms. So this may only have questionable applications but it is something I haven’t see any of the scanning vendors do. The moral of the story is make sure if you do allow uploads that you rename them to something safe. Nuff said.