file command you might now from Linux or other Unix based operation systems.
imagejs is now available via Ubuntu. You can add the PPA here or directly via
sudo apt-add-repository ppa:jklmnn/imagejs.
imagejs 0.7.1 is out with some minor fixes.
For all images you have to pay attention that if the image data contains
alert("Hi!"); as an image:
(This picture is resized, it has only a height of one pixel).
Currently only bmp files are supported and all the code gets printed in one long line of pixels, but that will change in the future. Link that image as a script and see how it works!
A file created by this tool is able to extend XSS vulnerabilities. For example, if you are able to put a script tag on a website but cant run the script because it only runs scripts from this website, you can just upload e.g. a profile picture containing the code you want to run. The idea came from Ajin Abraham who tested this on gif files. Of course there are more file types that allow to do this.
Every file has a so called file header. That header is a bunch pf bytes that have either a constant value or contain meta information about the file like the size. A gif file header contains at least 10 bytes. The first six are the string
GIF89a which is just ascii and no problem to read for a java script interpreter. The next four bytes are two bytes width and two bytes height. If you have a width and a height of 10 pixels it would look lixe this:
0x000a000a (two numbers are one byte). But thats no printable char so the interpreter would that there is an illegal character. What we do is to set the width to 10799 pixel which is going to be
0x2f2a. That doesn't sound quiet impressive, but it is also the ascii value for
=0; which assings the value 0 to the variable GIF89a. Our header now looks like this
If you like it, share it! Maybe others may like it, too.
You can share it on any platform you want to.