DEV Community

Cover image for This Image Is Also a Valid Javascript File

This Image Is Also a Valid Javascript File

Sebastian Stamm on September 06, 2020

Images are usually stored as binary files, while a Javascript file is basically just text. Both have to follow their own rules: Images have a concr...
Collapse
 
ben profile image
Ben Halpern

๐Ÿคฏ

Collapse
 
dploeger profile image
Dennis Ploeger

That is pretty awesome. Thanks. I'm thinking about possible security implications of this. Just like when PDFs got hacked. But the concept is different here. It would be worse if the file would be in an img tag and the browser would display it and run the JavaScript code.

Collapse
 
cyril_ogoh profile image
ogoh cyril

Exactly
This post is a zero day attack ๐Ÿ˜‚๐Ÿ˜‚๐Ÿ˜‚

But we want to execute it anyway. Our solution here is to just not tell the browser that it's an image. For that I wrote a small server that serves the image without any header information

Its a nice project tho

Collapse
 
vsetka profile image
Vladimir ล etka • Edited

How is it a zero day attack? The <img> tag will never execute its content as javascript, regardless of the response headers.

Collapse
 
etienneburdet profile image
Etienne Burdet

Wow, reallyโ€ฆ coolโ€ฆ ๐Ÿค” โ€ฆ scary?
One use could be to embed trackers in image files (giphy does that already maybe?). The other one would be straight hacking.

None of that sounds "great user experience", but it's good to know it's a thing ๐Ÿ˜ฌ

Collapse
 
vsetka profile image
Vladimir ล etka

How would you embed a tracker? The code won't execute unless it's in a script tag, at which point you might as well just load javascript.

If you're talking about embedding information in an image, there's already ways to do that (search for steganography).

Collapse
 
etienneburdet profile image
Etienne Burdet • Edited

Well I don't know precisely, but I was thinking something around a giphy copy-paste style: either with iframe, or little bit of JS script that seems to load a valid image. Like "copy this <script> โ€ฆ </script> at the bottom of your page and insert your .gif URL", which seems to be perfectly valid .gif if you open in browser.

Or a service like cloudinary could do that:ย inject script in your images and then execute it inside their SDK (while the url still gives a perfectly valid image).
That seems over complicated thoughโ€ฆgiphy just juste plain iframe without hiding anything and nobody cares ๐Ÿ˜…

Collapse
 
jabo profile image
Jabo

This is awesome! btw nice snake game ๐Ÿ‘€

Collapse
 
phlash profile image
Phil Ashby

From a previous conversation: dev.to/phlash909/comment/caol

For the ultimate in insane polyglot'ness, check out POC||GTFO publications (sultanik.com/pocorgtfo/) where Ange Albertini (github.com/angea) officially does voodoo.

Collapse
 
lookrain profile image
Lu Yu

Sorry if I missed something from the article, but did you successfully execute some JS from an tag in the end? It looks like that wouldn't be achievable?

Collapse
 
sebastianstamm profile image
Sebastian Stamm

My goal was not to execute code from an img tag, my goal was to create a file that is both an image and a script. Using the same file, the browser shows it as image in an img tag (without executing any Javascript), and executes the Javascript in a script tag (without showing any image).

Collapse
 
lookrain profile image
Lu Yu

Ah i see. Very interesting and informative article!

Collapse
 
michelcpp profile image
michel-cpp

Wow that's cool

Collapse
 
juanfrank77 profile image
Juan F Gonzalez

This is actually very interesting! Although the fact of making the browser do things that it wouldn't do otherwise makes me think it would be used by someone somewhere in a malicious way.

Collapse
 
niweera profile image
Nipuna Weerasekara

Thanks this made my day

Collapse
 
amberisvibin profile image
Amber ๐Ÿณ๏ธโ€๐ŸŒˆ

Wow, that's incredible.

Collapse
 
koas profile image
Koas

Awesome! ๐Ÿ‘๐Ÿป๐Ÿ‘๐Ÿป๐Ÿ‘๐Ÿป๐Ÿ‘๐Ÿป

Collapse
 
adriangrigore profile image
Adrian Emil Grigore

Pretty cool hack! Nice!

Collapse
 
sharadcodes profile image
Sharad Raj (He/Him)

Damn this is ๐Ÿ‘€