Image Injection¶
Image injection is a class of attack where malicious content is embedded inside a file that is presented or processed as an image. The attack exploits the fact that parsers and browsers use different heuristics to determine a file’s type, and that image processing libraries sometimes execute embedded code.
Common image injection scenarios include:
Polyglot files: a file that is simultaneously a valid image and a valid script (PHP, HTML, SVG). When such a file is saved with a
.jpgextension and later served or included, the server or browser may execute the embedded payload.SVG injection:
SVGfiles are XML and may contain<script>elements. Displaying attacker-supplied SVG inline triggers cross-site scripting.Metadata injection:
EXIFdata embedded in a JPEG can contain PHP code that is executed if the application passes the raw file toeval()orinclude().
Mitigation strategies include:
Re-encoding uploaded images with GD or Imagick to strip embedded payloads
Validating MIME type server-side with
getimagesize()orfinfoStoring uploads outside the document root and serving through a controller
Disabling SVG upload or sanitising SVG content
<?php
// Re-encoding strips EXIF and any embedded code
function sanitizeImage(string $path): bool {
$info = getimagesize($path);
if ($info === false) {
return false;
}
[$width, $height, $type] = $info;
$src = match ($type) {
IMAGETYPE_JPEG => imagecreatefromjpeg($path),
IMAGETYPE_PNG => imagecreatefrompng($path),
IMAGETYPE_GIF => imagecreatefromgif($path),
default => false,
};
if ($src === false) {
return false;
}
imagejpeg($src, $path, 90);
imagedestroy($src);
return true;
}
?>
See also Unrestricted File Upload — OWASP and Image File Upload Security — OWASP Cheat Sheet.
Related : Image, Injection, Scalable Vector Graphics (SVG), Cross Site Scripting (XSS), File Upload, Security, HTML Escaping, LDAP Injection, SQL Injection