injecting a javascript code into a jpg image and execute the code when uploaded with c# - Stack Overflow

admin管理员组

文章数量:1386852

I have recently been working in a security project and i have a task to demonstrate that javascript code injection can be done when the user upload an malicious image and this is a lack of security if it's not handled . what i did is i used EXIFeditor to inject the image with some javascript code and than i uploaded the image into the browser using this code

 protected void Upload_File(object sender, EventArgs e)
{
    var postedFile = Upload_fu.PostedFile;
    string fileName=new FileInfo(postedFile.FileName).Name;
    string path = Server.MapPath("~/images/" + fileName);
    postedFile.SaveAs(path);
    Success_msg.Text = "successfully saved";
    img_sr.ImageUrl = "~/images/" + fileName;
}

Where img_sr is an <asp:Image and Upload_fu is <asp:UploadFile the javascript code i've injected is a simple alert("Hello world") the problem is the code is not being executed. can u guys tell me how should i make it execute and can u show me some link that can give me a hint or something to make that happen .I tried it on firefox 21 and IE 9,I've posted my question in Infomation Security but no one answer ,I hope you guys can help .thank u

I have recently been working in a security project and i have a task to demonstrate that javascript code injection can be done when the user upload an malicious image and this is a lack of security if it's not handled . what i did is i used EXIFeditor to inject the image with some javascript code and than i uploaded the image into the browser using this code

 protected void Upload_File(object sender, EventArgs e)
{
    var postedFile = Upload_fu.PostedFile;
    string fileName=new FileInfo(postedFile.FileName).Name;
    string path = Server.MapPath("~/images/" + fileName);
    postedFile.SaveAs(path);
    Success_msg.Text = "successfully saved";
    img_sr.ImageUrl = "~/images/" + fileName;
}

Where img_sr is an <asp:Image and Upload_fu is <asp:UploadFile the javascript code i've injected is a simple alert("Hello world") the problem is the code is not being executed. can u guys tell me how should i make it execute and can u show me some link that can give me a hint or something to make that happen .I tried it on firefox 21 and IE 9,I've posted my question in Infomation Security but no one answer ,I hope you guys can help .thank u

• c#
• javascript
• asp

Share Improve this question Follow edited May 27, 2014 at 7:37 Sora asked May 27, 2014 at 6:55 SoraSora 2,5511919 gold badges7777 silver badges151151 bronze badges 2

• How do you set the javascript alert in image description? Does the editor you have used allows you to do the same or any other method? – Dev Commented May 27, 2014 at 7:26
• the software i used can change a tag inside the image and put a value (wish is here the javascript code) check out this link :php.webtutor.pl/en/2011/05/13/… – Sora Commented May 27, 2014 at 7:40

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 2

Browser will not automatically execute javascript from the image metadata. Your expectations are wrong. This has nothing to do with C# or .NET at all. What you want to do is to read out the javascript from the image metadata ( by using javascript ) and then execute that javascript that you read out by calling eval or doing something similar.

You can find similar example here: http://blog.sucuri/2014/02/new-iframe-injections-leverage-png-image-metadata.html

本文标签： injecting a javascript code into a jpg image and execute the code when uploaded with cStack Overflow