Web Security Web Security

Malicious Attachments

Learning Paths:
Check out a free preview of the full Web Security course:
The "Malicious Attachments" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

After discussing how code can be added or embedded into files, Mike shows a JPEG image that contains HTML in the image's EXIF meta information.

Get Unlimited Access Now

Transcript from the "Malicious Attachments" Lesson

[00:00:00]
>> Mike North: Let's say that we've fixed all of our cross-site scripting issues like this, and all this text that goes through the user generated text, nothing slipping by us now. This doesn't actually complete our protection because particularly when you start dealing with attachments you can embed some crazy stuff into some things that we typically think of as inert documents.

[00:00:32] For example, this is a PDF document that has a trojan embedded in it. And there's a lot of dynamic behavior that can be added to PDFs and like in this case, and thankfully this was published like in a white paper, right? After the vulnerability was patched, but it was someone who had.

[00:00:51] They basically found the ability for, to put something in a PDF that would modify memory that it was out of its bounds, right? Memory that did not belong to it. And as soon as you can do that it's just a matter of basically finding the right area of memory where maybe those are like that's code that will be executed by something, right?

[00:01:11] Or maybe it's a file that will be indexed by your operating system, so your next auto complete works. It's just a matter of time before you can identify the right spot to put things. You can also add malicious stuff to images. So there's a non visible portion of images.

[00:01:31] Have you ever looked at like pictures that you take and you see that you've got you've got like the geotags so you know you took it at a particular location and like maybe the camera that you used and the shutter speed. So like this is all stored in that image, it's part of the file, right?

[00:01:48] Cuz like with your digital camera I mean surely on your smartphone like it could have a database somewhere that it's tracking that. It turns out even with a regular camera just moving those raw image files over like you get this as well so there is non-visible data there.

[00:02:06] So, we're going to do, I know, I'm trying to get you to be skeptical. I'm about to show you something cool and there's no malicious thing happening here. So, in your project, in the examples folder, there's a picture of a squirrel. So, let's go take a look at that.

[00:02:27]
>> Mike North: So there's a picture of a squirrel. And what you're gonna wanna do is go locate that file in your finder or in your explorer, depending on your operating system. So there's examples. I'm just gonna open this up. Find in folder.
>> Mike North: Oops, that's the wrong thing, I want to reveal in finder.

[00:02:53] All right, so there's the file, and I'm gonna just take this JPG, and I'm just gonna drag it into a browser. Cuz it can handle JPGs.
>> Mike North: And there's a JPG. That's fantastic. So that's a squirrel, fine.
>> Mike North: Let me just delete this file here. You will see the point of it in a moment.

[00:03:20] Move to Trash, there we go. So if take this same squirrel.jpg, all I'm gonna do is I'm gonna replace the extension with HTML. Saying, do you really wanna do this? That seems weird. Let's drag it into another browser. We'll try Safari, and this is what we get.
>> Mike North: So, if we view source, what I've effectively done here is

[00:03:54]
>> Mike North: We've got, I have put some HTML in this non-visible data for this image. And because browsers, they try to be nice, if you give it something reasonable it will try to render it as HTML. It really wants to treat things as HTML, especially when it has an HTML extension.

[00:04:17] So it's gonna render this HTML, and whatever we can put in here, it'll be shown as a document. So now imagine you allow users to upload attachments and for some reason someone figures out a seemingly small issue like they have the ability to rename this file. So where once you add the ability to click on an image and you were looking at the full screen image there, sort of a zoom in effect.

[00:04:45] Now you click on that HTML document, and you're looking at this and it's hosted on the same domain as your application. I can put whatever script I want in here, and I can get that to run, right? Cuz this down here, this is JPG data. That's why it looks all funky, but up here it's HTML.

[00:05:04] So if we look at this, in fact, some really strange stuff going on here. So first off this link will work, like you could like to this page just like you can link to any other document. I can even have an image tag here where the source of the image is this document itself.

[00:05:21] So I'm recursively rendering this document. The outer one is treating it like HTML and then this is the image. It is the same document itself. It's like view an image in the sources myself and put it here. Really crazy stuff. So what we're gonna do after lunch, I've built a little tool for you where you can like have your own text file and essentially it will load this squirrel image with whatever HTML you want and we can see like what kind of wacky stuff we can create.

[00:05:56] You can go and fool your friends with this thing. Just be nice. Ask permission. Tell them it's something cool but that you're gonna be nice. So but the point here is it's not just about text. It's not just about strings that users are entering. As soon as you cross the line and allow users to spread attachments, your app basically becomes a potential vector for spreading this kind of stuff around.

[00:06:21] And that is a mean little squirrel there. It could some nasty stuff. So, we will play with this and we'll use this little tool I've added to this project to read from and write to that non-visible metadata for this. See how much trouble we can cause after about a one hour break.