imagejs is a small tool to hide javascript inside a valid image file. The image file is recognized as one by content checking software, e.g. the file command you might now from Linux or other Unix based operation systems.


imagejs is now available via Ubuntu. You can add the PPA here or directly via sudo apt-add-repository ppa:jklmnn/imagejs.

imagejs version 0.7.1

imagejs 0.7.1 is out with some minor fixes.

Inject javascript in different images!

Javascript can now be injected into gif, bmp and webp files. Bmp files work best, since their attributes doesn't change, at least not visible. Gif images are manipulated in their width and might not be shown properly but with 10799 pixels width. Webp images are not yet testet and are beta, but it should work as well. If not send me a bug report via Github or look at the contact site.
For all images you have to pay attention that if the image data contains */ the javascript might not be executable because the comment is ended and the parser stumbles over unreadable characters

Inject javascript into existing gifs!


You might know this picture from Wikipedia as an example gif picture. But here it actually runs javascript, even though you still can view it and it looks the same like the one on wikipedia. imagejs is able to inject javascript without changing the picture so it won't look suspicious. But it doesn't work on every gif yet since there can be byte codes that will cause a comment close and the following picture goes through the javascript interpreter which stumbles over it.

BMP Images are now viewable!

By adding -l to the command an image is not only valid and runnable javascript, it can also be shown by a viewing program or a browser. Below you can see alert("Hi!"); as an image:
(This picture is resized, it has only a height of one pixel).
Currently only bmp files are supported and all the code gets printed in one long line of pixels, but that will change in the future. Link that image as a script and see how it works!
(Note: If you have enabled browser add-ons that block javascript it may not work. Even the existance of such an add-on can prevent the execution. I tried that with noscript for Firefox).


A file created by this tool is able to extend XSS vulnerabilities. For example, if you are able to put a script tag on a website but cant run the script because it only runs scripts from this website, you can just upload e.g. a profile picture containing the code you want to run. The idea came from Ajin Abraham who tested this on gif files. Of course there are more file types that allow to do this.

How it works

Every file has a so called file header. That header is a bunch pf bytes that have either a constant value or contain meta information about the file like the size. A gif file header contains at least 10 bytes. The first six are the string GIF89a which is just ascii and no problem to read for a java script interpreter. The next four bytes are two bytes width and two bytes height. If you have a width and a height of 10 pixels it would look lixe this: 0x000a000a (two numbers are one byte). But thats no printable char so the interpreter would that there is an illegal character. What we do is to set the width to 10799 pixel which is going to be 0x2f2a. That doesn't sound quiet impressive, but it is also the ascii value for /* which starts a comment in javascript. Now the following values are ignored untill we close the comment. Let's say the picture is 48 pixels high which would be 0x0030 which is an unreable character and an ascii 0. Now we can close the comment (the gif header is usually larger but these two values are enough to trick the content check). Since a single string would be a systax error un javascript, we add =0; which assings the value 0 to the variable GIF89a. Our header now looks like this GIF89a/*0*/=0;. After this you can add any valid javascript code. The code will be executed when it is put into a <script> tag.The trick is that some servers prevent to load external javascript. But we didn't load javascript, we loaded a picture ;)


If you like it, share it! Maybe others may like it, too.
You can share it on any platform you want to.

Vote on Hacker News