Images are usually stored as binary files, while a Javascript file is basically just text. Both have to follow their own rules: Images have a concr...
For further actions, you may consider blocking this person and/or reporting abuse
๐คฏ
That is pretty awesome. Thanks. I'm thinking about possible security implications of this. Just like when PDFs got hacked. But the concept is different here. It would be worse if the file would be in an img tag and the browser would display it and run the JavaScript code.
Exactly
This post is a zero day attack ๐๐๐
But we want to execute it anyway. Our solution here is to just not tell the browser that it's an image. For that I wrote a small server that serves the image without any header information
Its a nice project tho
How is it a zero day attack? The
<img>
tag will never execute its content as javascript, regardless of the response headers.Wow, reallyโฆ coolโฆ ๐ค โฆ scary?
One use could be to embed trackers in image files (giphy does that already maybe?). The other one would be straight hacking.
None of that sounds "great user experience", but it's good to know it's a thing ๐ฌ
How would you embed a tracker? The code won't execute unless it's in a script tag, at which point you might as well just load javascript.
If you're talking about embedding information in an image, there's already ways to do that (search for steganography).
Well I don't know precisely, but I was thinking something around a giphy copy-paste style: either with iframe, or little bit of JS script that seems to load a valid image. Like "copy this
<script> โฆ </script>
at the bottom of your page and insert your .gif URL", which seems to be perfectly valid .gif if you open in browser.Or a service like cloudinary could do that:ย inject script in your images and then execute it inside their SDK (while the url still gives a perfectly valid image).
That seems over complicated thoughโฆgiphy just juste plain iframe without hiding anything and nobody cares ๐
This is awesome! btw nice snake game ๐
From a previous conversation: dev.to/phlash909/comment/caol
Sorry if I missed something from the article, but did you successfully execute some JS from an tag in the end? It looks like that wouldn't be achievable?
My goal was not to execute code from an img tag, my goal was to create a file that is both an image and a script. Using the same file, the browser shows it as image in an img tag (without executing any Javascript), and executes the Javascript in a script tag (without showing any image).
Ah i see. Very interesting and informative article!
Wow that's cool
This is actually very interesting! Although the fact of making the browser do things that it wouldn't do otherwise makes me think it would be used by someone somewhere in a malicious way.
Thanks this made my day
Wow, that's incredible.
Awesome! ๐๐ป๐๐ป๐๐ป๐๐ป
Pretty cool hack! Nice!
Damn this is ๐