XSS via Exif Data - The P2 Elevator

Summary :

Everyone knows what is an “Exif Data”, so I found this exif data vulnerability on my target website where the server was not stripping the exif data from the uploaded images. Reporting exif data vulnerability is considered as P4 and in some cases P3 as per Bugcrowd’s VRT. So I thought of updating the severity of the bug by converting it into Cross Site Scripting (XSS) attack. So using Exiftool I injected XSS payload into an image and uploaded it on the website and got XSS.

Now in normal case exif data has two categories P3 and P4 where in P3 means when data is publicly available (for eg. comment section) and P4 means where few users are invited to work on a specific project. Same way we have different categories for cross site scripting too from which I will be mentioning two, Reflected and Stored. Here the severity of stored is anyhow more than reflected, so in my case the exif data was on P3 and I made it XSS which was a stored one so the severity got updated to P2.

If I would have reported exif data exposure it would gone for P3 but I converted it into XSS to it got accepted in P2. So I would suggest that one should always try to chain the vulnerabilities to find something more severe.

Understanding Exif Tags :

EXIF stands for “Exchangeable Image File Format”. This type of information is formatted according to the TIFF specification and may be found in JPG, TIFF, PNG, JP2, PGF, MIFF, HDP, PSP and XCF images, as well as many TIFF-based RAW images and even some AVI and MOV videos.

The EXIF meta information is organized into different Image File Directories (IFD’s) within an image. Exif IFD is a set of tags for recording Exif-specific attribute information. There are lots of exif tags in an image but I am discussing only one which I have used for an attack, “Comment” tag which is also known as UserComment tag or ImageDescription tag.

Comment tag for Exif users is used to write keywords or comments on the image besides those in ImageDescription and without the character code limitations of the ImageDescription tag which is then processed by Exif/DCF reader that reads the UserComment tag.

Why it happened ?

In my opinion,

There are many image processing libraries which processes the image’s metadata. Now this metadata also includes the meta tags of an image also known as exif data. This image processing libraries which is Exif/DCF reader in this case was not sanitizing the exif tags of an image on uploading which led to XSS. It should have removed exif data or it should have scanned the exif tags and converted the XSS payload into HTML entities in this case.

How I found this vulnerability ?

  1. My target website was having an option to upload photos
Upload Functionality

2. So at first I uploaded a normal exif image to check for exif data exposure vulnerability

Uploading Exif Image
Image Uploaded - Public

3. Then I had an option to download the image, so I downloaded it and checked the exif data

Downloading The Image
Exif Data
Exif Data

4. Then I downloaded another image from google and checked the exifdata

Normal Image

5. Then I inserted the XSS payload as an exif data into the image using exiftool

XSS Payload in Exif Data

6. Then I uploaded the image on the website and got the XSS popup

XSS via Exif Data

Impact :

It can allow an attacker to hijack the user’s session and take over the account. As it is a stored one and the image is public it can be more severe.

Mitigation :

Always strip the exif data (meta-data) from the uploaded images. If you don’t want to strip the exif data then there should be a validation check for metadata where it should check whether the metadata (exifdata) is containing any malicious payload and if yes then it should be removed.




|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

MarcoPay version 3.0.0 has been released and Milione has been reopened

Building a Holistic Risk Profile: Near Real-Time Approach to Insider Threat Detection

PolkaCipher Whitelisting Details for TrustPad IDO

Privacy Policy

Marriott Starwood Breach Spotlights Multiple Cyber Security Issues

{UPDATE} Jump On It! Hack Free Resources Generator

Terms of Use and Privacy policies for Music Pro application

MediBloc Wallet Guide- how to restore and send to Cosmostation wallet

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

More from Medium

My write-up in hacking IBM’s administration panel and getting SQLi on it

Open Redirection - QR Code Magic

Story of a weird CSRF bug

Cross-Site Request Forgery — CSRF