XSS via Exif Data - The P2 Elevator
Summary :
Everyone knows what is an “Exif Data”, so I found this exif data vulnerability on my target website where the server was not stripping the exif data from the uploaded images. Reporting exif data vulnerability is considered as P4 and in some cases P3 as per Bugcrowd’s VRT. So I thought of updating the severity of the bug by converting it into Cross Site Scripting (XSS) attack. So using Exiftool I injected XSS payload into an image and uploaded it on the website and got XSS.
Now in normal case exif data has two categories P3 and P4 where in P3 means when data is publicly available (for eg. comment section) and P4 means where few users are invited to work on a specific project. Same way we have different categories for cross site scripting too from which I will be mentioning two, Reflected and Stored. Here the severity of stored is anyhow more than reflected, so in my case the exif data was on P3 and I made it XSS which was a stored one so the severity got updated to P2.
If I would have reported exif data exposure it would gone for P3 but I converted it into XSS to it got accepted in P2. So I would suggest that one should always try to chain the vulnerabilities to find something more severe.
Understanding Exif Tags :
EXIF stands for “Exchangeable Image File Format”. This type of information is formatted according to the TIFF specification and may be found in JPG, TIFF, PNG, JP2, PGF, MIFF, HDP, PSP and XCF images, as well as many TIFF-based RAW images and even some AVI and MOV videos.
The EXIF meta information is organized into different Image File Directories (IFD’s) within an image. Exif IFD is a set of tags for recording Exif-specific attribute information. There are lots of exif tags in an image but I am discussing only one which I have used for an attack, “Comment” tag which is also known as UserComment tag or ImageDescription tag.
Comment tag for Exif users is used to write keywords or comments on the image besides those in ImageDescription and without the character code limitations of the ImageDescription tag which is then processed by Exif/DCF reader that reads the UserComment tag.
Why it happened ?
In my opinion,
There are many image processing libraries which processes the image’s metadata. Now this metadata also includes the meta tags of an image also known as exif data. This image processing libraries which is Exif/DCF reader in this case was not sanitizing the exif tags of an image on uploading which led to XSS. It should have removed exif data or it should have scanned the exif tags and converted the XSS payload into HTML entities in this case.
How I found this vulnerability ?
- My target website was having an option to upload photos
2. So at first I uploaded a normal exif image to check for exif data exposure vulnerability
3. Then I had an option to download the image, so I downloaded it and checked the exif data
4. Then I downloaded another image from google and checked the exifdata
5. Then I inserted the XSS payload as an exif data into the image using exiftool
6. Then I uploaded the image on the website and got the XSS popup
Impact :
It can allow an attacker to hijack the user’s session and take over the account. As it is a stored one and the image is public it can be more severe.
Mitigation :
Always strip the exif data (meta-data) from the uploaded images. If you don’t want to strip the exif data then there should be a validation check for metadata where it should check whether the metadata (exifdata) is containing any malicious payload and if yes then it should be removed.
