Image script injection

Question

Hey I am trying to defend my application from injecting javascripts inside images. I am curious how does the browser appends images to the page so the script can be executed?I dont see how it can be done inside

<a href="image.png></a>

??

Answer 1

The usual attack vectors are:

• By using a javascript: scheme URI for the src of the image (some modern browsers mitigate this by refusing to support javascript: scheme URIs for image sources).
• By using bad image data that triggers a buffer overflow (or other low level security vulnerability) in the underlying image processing library the browser uses to render the image.

---

From the website you link to in the comments (it would have been helpful to mention that in the question itself since it is really obscure):

That technique just creates a file which is both an image and a JavaScript program. When loaded in the context of an image, it is treated like an image. When loaded in the context of a script, it is treated like a script.

To execute the image-script as a script you would have to add <script src="image.gif"></script>. There's almost never a reason to let people add script elements, so just don't do that.

Answer 2

Although, these old vulnerabilities have been patched in most of the modern browsers, you could try some of these attacks:

 <img src="javascript:alert('ALERT');">
 <img src=javascript:alert('ALERT')>
 <img src=`javascript:alert("ALERT, 'ALERT'")`>
 <img src='#' onerror=alert(1) />

You can find full details and more examples here. Also, check how can you inject in <input> and other tags.

Edit: When you inject javascript in an image's meta-data, then, it wouldn't be executed as javascript, it will be interpreted as image. PS: Regardless of any payload/javascript in an image, your browser won't evaluate it as JavaScript.