Skip to content

Cross Site Scripting through image EXIF

by aloshbennett on October 18th, 2010

Cross Site Scripting (XSS) seems to be the most common vulnerability today with every other site having run into it at least once. In a nutshell, whenever a website displays unsanitized user-driven data (supplied directly or indirectly), it makes itself susceptible to XSS.

Image EXIF information is no exception. Though the EXIF is usually written by the digital camera, it could be edited using any of the tools available freely. It is possible to modify any tag including the Camera Make and Model and supply javascript snippets instead of them.

Here’s a sample image with javascript alerts written into its EXIF. (Upload the pic to jpeginfo.com to see the javascript at work. The site doesn’t persist the image and hence is safe.) Most of the big names in photosharing already sanitizes the EXIF tags before displaying them, but there are a lot of smaller websites which are prone to this kind of XSS.

From → Web 2.0

One Comment
  1. Looks like jpginfo does not exist any more
    One can use http://camerasummary.com/ instead

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS