XSS by including JavaScript in image metadata

  • by Amando Abreu
  • on 07 February 2019

Every now and then I like to test sites I frequently visit, I figure since they have my data, it’s in my best interest for it to be secure.

There is a popular sports site that will remain unnamed that allows you to upload photos, given that high quality photography is an important part of this site, the image metadata tends to be left untouched, and shown publicly so visitors can see which camera was used, among other things.

This site has a history of having XSS vulnerabilities, so I naturally wondered if the image metadata was properly escaped.

All it took was adding this to the metadata in lightroom:


And after exporting to jpeg and uploading to the site, this code ran perfectly.

Given that this image would then be exposed on public lists, and a single image can reach multiple thousand views without much trouble, one would only need an admin to open the image to to hijack cookies and log in with admin privileges, or redirect users to a similar site for a phishing attack.

To increase the chances of an admin opening the image, one would only need to upload an “illegal” image that would surely get reported and deleted, but before the deletion happens the damage is already done.

I reported this on the same day I found it and they fixed it immediately.

About the author

Amando Abreu got into electronics as a kid, started programming microchips in his early teens, moved onto web development in his late teens, and got into people; psychology; and business in his twenties. Currently co-founder & CTO @ Perlo.io
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to my Newsletter

No comments, just