XSS threat through javascript served by GIF images

Discussion in 'other security issues & news' started by tlu, Nov 3, 2014.

  1. tlu

    tlu Guest

    Security researcher Ajin Abraham created a file that contains a valid GIF header - and executable javascript. The problem is that such manipulated images might circumvent the Content Security Policy (CSP) used by websites to protect themselves against the wide-spread cross-site scripting (XSS) attacks.

    The German IT blog Golem explains the trick in detail: A GIF image starts with the string GIF89a. Following this, width and height of the image are defined. Now it's possible to chose the value 0x2f2a for the width which is equivalent to 10,799 pixels - which matches also the ASCII value for /* which starts a comment in javascript.

    Now add the string */=1; to the end of the GIF image. The */ is the end of above comment, and =1; means that the value 1 is assigned to GIF89a. In other words, javascript sees the following code:

    where comment can be replaced with any javascript code.

    Why is this a problem? It's a problem because web browsers normally execute javascript even if the file type is incorrect. The MIME type for javascript is application/x-javascript, for GIF images it's image/gif. Unfortunately, many files are delivered with wrong MIME types but the browser still tries to correctly interpret them despite false MIME types. Thus, a GIF file prepared accordingly will be executed as javascript regardless of its MIME type. In order to execute code on a website an attacker needs to exploit another existing XSS hole by injecting HTML code with the <script> tag - but that's exactly what CSP should protect against.

    According to Golem, this has been known as a potential security problem for quite some time. Microsoft introduced an inofficial header in IE9. If a webserver sets the header X-Content-Type-Options: nosniff , the browser knows that it must observe the MIME type thus ignoring javascript code in images. Google Chrome also supports this header, and there is a patch for Firefox although some people claim that Firefox is not vulnerable to that threat. However, according to Golem Noscript adds the nosniff header support to Firefox which is confirmed in the Noscript changelog for v.

    In any case, the nosniff header has to be added to the CSP if websites want to be protected against XSS attacks. I'm afraid, that's the most alarming aspect of this story: The webmasters must deliver.
    Last edited by a moderator: Nov 3, 2014