Leveraging ExifTool to Modify File Metadata and Inject XSS
What is Exiftool?
ExifTool is a powerful, open-source software application used for reading, writing, and editing metadata in a wide variety of file formats. It was developed by Phil Harvey and is highly regarded for its flexibility and extensive format support including EXIF, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP, and ID3, among others. This makes it an invaluable tool for photographers, archivists, and digital forensics experts who need to manage and manipulate metadata efficiently. ExifTool’s capabilities extend beyond simple metadata viewing and editing; it can also batch process files, extract embedded information, and convert metadata between different formats, making it an essential utility for anyone working with digital media.
One of the standout features of ExifTool is its ability to handle complex metadata tasks with ease. For example, users can use ExifTool to embed GPS coordinates into photos, adjust timestamps, and even add copyright information. This flexibility is facilitated by ExifTool’s powerful scripting capabilities, which allow for the automation of repetitive tasks. Additionally, ExifTool’s comprehensive documentation and active community support ensure that users can quickly find solutions to their metadata-related challenges. Whether you are a professional managing large collections of digital assets or an enthusiast seeking to organize your media library, ExifTool offers a reliable and efficient solution for all your metadata needs.But in our case, we will explore how to use ExifTool to inject an XSS (Cross-Site Scripting) payload into a file’s metadata. By embedding malicious scripts within these metadata fields, we can demonstrate how attackers might exploit vulnerabilities in web applications that improperly handle or display this metadata, ultimately executing the embedded script and compromising the security of the application.
There is a couple of ways to view the metadata of a file using ExifTool, but first you need to have ExifTool installed on your system. Once installed, open your command line interface and navigate to the directory containing the file you wish to inspect. By typing the command exiftool filename, where "filename" is the name of your file, ExifTool will output all available metadata associated with that file. This metadata includes a variety of information such as the file's creation date, modification date, camera settings (for image files), and other embedded details. This comprehensive display allows users to easily access and review the hidden data within their files.
The second and my preferred method is just by drag and dropping the file into the exiftool executable file. But first you must rename the exiftool file to exiftool(-k) so the application doesn’t automatically close on it’s own.
As you can see, it is the exact same result as when we were using the command prompt to use exiftool. But that’s not all you can do, exiftool also allows you to edit and add metadata to the file. how? let me show you.
After that we could see that the image files were successfully upated. Here is the result.
If you manage to upload the file into a web server, it should run the payload inside the metadata. Here is the proof of it working.
If the file is successfully uploaded, all you have to do is open the image on a new tab to see if it works.
Conclusion
ExifTool is a powerful utility for reading, writing, and manipulating metadata in various file formats. While this capability can be used for legitimate purposes, it can also be exploited to inject malicious payloads, such as Cross-Site Scripting (XSS) attacks, into files. By embedding XSS payloads into metadata, attackers can compromise web applications that process or display this metadata without proper sanitization, potentially leading to severe security breaches.
