XSS Image

Enhancing Security for File Uploads

March 11, 2016 - Tommy Dräger

Protecting File Uploads on Your Website

File uploads can introduce significant security risks if not properly managed. Here are various strategies and considerations to protect against common vulnerabilities, including script injections through image metadata.

The Attack Script

Attackers often attempt to upload scripts to execute arbitrary commands on the server. A simple example of such a script in PHP might look like this:

<?php
exec($_GET["cmd"]);
?>

Methods to Restrict File Uploads

1. Verifying Content-Type

   A common method to restrict file uploads is by verifying the content type (MIME type) of the uploaded files. This ensures that only files of specific types, such as images, are allowed.

   Issue: This method can be bypassed using an interceptive proxy to tamper with the MIME type in the request (MIME type tampering).

   Original Postdata:

   Content-Type: image/jpeg

   Tampered Postdata:

   Content-Type: application/x-php

2. File Extension Manipulation

   Another approach is to check the file extension. Attackers might attempt to bypass this by using variations such as changing .php to .PHP or chaining multiple extensions like .php.foo.

3. Embedding Scripts in Image Metadata

   When direct script uploads are not possible, attackers might embed malicious scripts in the metadata of image files, particularly JPEGs. JPEG files support EXIF metadata, which includes a comment field that can store arbitrary text.

Embedding Scripts in JPEG Comments

JPEG files have headers that can include EXIF metadata. Attackers can insert scripts into these headers using tools like JHead, ExifTool, and edjpgcom. Here's how to use edjpgcom to add a script to a JPEG comment field:

1. Download and Install edjpgcom

   Download edjpgcom

2. Add Script to JPEG Comment

   • Choose any JPEG file.
   • Use edjpgcom to insert the PHP script into the comment field.

   edjpgcom -c "<?php exec(\$_GET['cmd']); ?>" yourimage.jpg

Potential Success of the Attack

The success of this attack depends on several factors:

• Server-Side Handling of Uploaded Images: If the server directly stores and serves uploaded images without validation or transformation (e.g., without Base64 encoding or stripping metadata), the script might remain intact.
• Accessing the Script: If the server allows executing files from the upload directory and does not validate the file contents, the embedded script can be executed via a GET request.

Mitigation Strategies

1. Strict Validation and Sanitization:

   • Implement server-side checks to validate file content beyond MIME types and extensions.
   • Strip metadata from image files upon upload.

2. File Storage Practices:

   • Store uploaded files in directories that do not have execution permissions.
   • Rename files to prevent execution based on their extensions.

3. Use Security Libraries:

   • Utilize libraries designed for secure file handling and image processing.

Conclusion

While embedding scripts in JPEG comments can theoretically bypass some upload filters, the feasibility of this attack largely depends on the specific server-side implementation and security measures in place. Proper validation, sanitization, and secure file storage practices are essential to protect against such vulnerabilities.

By understanding these concepts and implementing robust security measures, you can significantly reduce the risk of malicious file uploads and ensure the integrity and safety of your web applications.

References

XSS_Filter_Evasion_Cheat_Sheet.html https://github.com/payloadbox/xss-payload-list