.

Image files in Penetration testing

<<

satyr

User avatar

Newbie
Newbie

Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Thu Sep 23, 2010 12:36 am

Image files in Penetration testing

I am testing an application which takes image files (jpeg) as input.

I was thinking of ways to break the application using image files ...
I have been searching on the lines of giving the application a corrupt
image file ... there are posts about buffer overflow using jpeg
files ...

Anyone here has some experience on this ? would like to have some
pointers on this topic
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Thu Sep 23, 2010 8:56 am

Re: Image files in Penetration testing

First I admit I have no experience regarding this.
Am assuming it is a desktop application that takes in JPEG images and either renders or process the JPEG file.
First if it is an existing desktop application look for exploits in the wild already.
If it is a new application and you got the source, try static code auditing, else if you dont have the source, then fuzzing might reveal bugs in the application.
Here is a jpeg fuzzer.
http://www.securiteam.com/tools/6P00B1FNFM.html
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sat Sep 25, 2010 3:44 pm

Re: Image files in Penetration testing

What kind of application? Web app, client app, mobile app...

Don
CISSP, MCSE, CSTA, Security+ SME
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Sep 30, 2010 7:31 am

Re: Image files in Penetration testing

If it's a Web Application, the content of the JPEG files will most likely not matter except if the application reads and parses the input somehow in a vulnerable way.

There are of course, usually other vulnerabilities included with file uploading formulas where it is occasionally possible to upload php files with a simple %00 byte added to the end of the filename.

If it's a client application aka a real program, use the jpeg fuzzer dante recommended or create your own fuzzer  :)
I'm an InterN0T'er
<<

elcapitan

User avatar

Newbie
Newbie

Posts: 28

Joined: Mon Apr 28, 2008 10:16 am

Post Wed Oct 06, 2010 9:54 pm

Re: Image files in Penetration testing

How do you know it accepts JPEGs? Can you do something like

  Code:
nerfarious_script.jpeg.exe
  ?

If you are authorized, try to upload several variants of files and proxy the application's response. Look for subtleties.

It may be suspectible to parameter tampering. In PHP, it would be something like
  Code:
include $_REQUEST['filename’];

If it's not validating your upload parameter, try some fuzzing; for example, /../../  or  command injection.
CISSP, Security+, CEH, OPP, et alii

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software