Entersoft Security Blog

Vulnerability: XSS in Image Name

Posted by Entersoft Team on Oct 25, 2017 9:54:32 PM
pexels-photo-326036.jpg
We have frequently come across cross-site scripting vulnerability (more about XSS) in input fields where HTML special characters are not sanitized. However, these days most developers are aware of this vulnerability and diligently filter user-supplied inputs in forms and URLs.
So, most of the applications are not vulnerable to this attack. But that hasn’t stopped attackers from identifying a new way to insert malicious JavaScript code into the application - through the image name parameter. Most developers often miss out on sanitizing the uploaded image name parameter. Taking advantage of this vulnerability, attackers are executing stored cross-site scripting attacks in the application.
 
If the image is not stored in the application then it is considered as a reflected XSS vulnerability.
 
If the image is getting stored in the application then it is considered as a stored XSS vulnerability.
 
Attack procedure:
  1. Take any application and login to it. 
  2. Go to the profile path. 
  3. In the upload image parameter, insert the image which has the name as below payloads.
Ex: 
“><img src=x onerror=alert(0)>.jpeg
or 
“><img src=x onerror=alert(0)>.png
 
Now upload an image with the image name as above payload in any application and observe the changes.
 
Remediation: Sanitize image names before uploading them on to applications.
 
Research by Jos Rohill

Topics: Application Security, XSS, Cross site scripting, vulnerability