How to exploit XSS with an image complete Guide By Blackhat Pakistan 2023
Today we will learn about How to exploit XSS with an image .
How to exploit XSS
Cross-Site Scripting is one of the most common and powerful vulnerabilities on the web.
The OWASP organization ranked it third in the top ten most critical web application vulnerabilities.
A cross-site scripting attack is an attack on web applications that allows hackers to inject malicious scripts to perform malicious actions. The malicious script is executed on the browser side, which makes this attack very powerful and critical.
You can get more information about the attack with some good articles here:
/lethal-consequences-of-xss/
Or here:
/cross-site-scripting-XSS/
More Related article:Contemporary UEFI Bootkits by Blackhat Pakistan 2023
In this article we will discuss how we can use an image to perform XSS attacks from simple to advanced exploits.
Let’s go deeper
Let’s pretend we want to directly embed a JS script, how can we do that?
You need to know that if the webmaster/administrator of the platform allows running JS scripts from the same domain. If so, we can take advantage of it!
The target only needs to have a WYSIWYG editor that allows writing HTML code and downloading images. This is enough for a hacker to create a script and embed it in an image, or create an image with an embedded payload.
What is a payload? Simply put, it is a script that performs malicious actions.
Before going deeper into the exploits, I suggest you read the articles related to these vulnerabilities that I shared with you at the beginning of the article
Now imagine we can exploit XSS using an image. Can we post this as a comment on the article? A blog? With the BEeF hook or another exploit framework?
The results would be messy.
How can we do this?
To use it, you’ll need this script to insert JavaScript into the gif:
http://pastebin.com/6yUbfGX5
and this is for the bmps:
http://pastebin.com/04y7ee3u
These two scripts are developed in Python; the most important parts are:
The part that handles opening an open valid GIF header in Python with x2Ax2F (aka *).
If you open a gif image with a Hexadecimal editor, you can see in the metadata GIF89a, which verify the validity of our exploit.
Figure 3: Hexadecimal Editor
You can have more information here:
http://giflib.sourceforge.net/whatsinagif/bits_and_bytes.html
Finally, The Exploitation
Once you have downloaded the script, tape the following command that permits one to adapt the execution of the script into the Linux environment (the environment used is Kali Linux)
Figure 4: Adaptation of the script into Unix environment
Then, let’s inject our test script into the image with the following command (we will do the test with a gif image so that we will use the gif injector script ➔ The first one). This is just a simple payload that will show you a JavaScript alert with the message “Learn XSS with gif,” but in a real scenario, an attacker will try to steal your cookie, inject hook (like BEeF one), redirect you to a malicious site such as:
Figure 5: Injection of the XSS payload into the gif image
The result image will change from [image_name].gif to [image_name]_malw.gif.
Now we have injected our script into our image; we can use it as an HTML page with the following script, that is automatically generated:
Figure 6: HTML Script to execute the image
The image and script source is the output image.
Now let’s copy all the content of the directory, and put it into the /var/www directory, then run the apach2 service:
Figure 7: Starting APACH2 service
Then run the HTML page into your browser and SURPRISE:
Figure 8: Execution of the injected XSS payload
We can also exploit with a redirection like this:
Figure 9: Injection of redirection payload
We can also do it in C or ASM, not just in with Python; you can have more information there:
We can also use it with BEeF, which allows to a hacker a golden door to your browser. You can see related article to this powerful framework here:
How to prevent it
The prevention of this type of exploitation is very difficult, but you can provide it with the following points:
- Always filter user input
- Use whitelist for the elements loaded, even if it is from the same domain
- Use high-level models: MVC, PEAR, SRUTS…
- Use a token based system
Moreover, always remember never to let the user write into HTML anywhere on your platform, it is the most important thing.
Conclusion
An XSS vulnerability is one of the most powerful vulnerabilities on the web, so never underestimate it and never forget that it can be exploited not only with a vulnerable URL, but also embedded in content like the images we just saw.
In the next articles, we will find out how we can use XSS in applications and some advanced exploits.
Always remember: Never trust user input ☺
