
How to Bypass CSP by Hiding JavaScript in a PNG Image - mooreds
https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/
======
laszlokorte
I do not understand the security thread. Can somebody explain?

\- you can write/encode/embed additional data into an image, fine

\- twitter (and everyone else) hosts such images for you, fine

\- twitter sends CSP header that allows scripts from other origins to access
the full image data (ie the embeded data), fine, should not be a problem,
anybody has access to that data as it was spcifically placed there, anyone
could download/mirror it anyway

Now when demontrating the possible attack the author assumes a valnuable
script on another domain that permits code injection. They inject javascript
code that decodes the data from the image that is fetched from twitter and
evals that extracted code. But if you an already inject javascript code
anyway, why would you need to decode the twitter image? You already have
access to the origin of the attacked page, loading the image from twitter
gains you nothing (eg it does not give you access to the twitter origin, eg
does not allow you to read twitter cookies, right?).

Given a site is valnuable to code injection you could as well either just
inject _all_ your evil js code instead hosting it on twitter inside an image
or in case of length limits on the injectable code just host the majority of
the evil code on your own server, configure it for CORS and then inject the
script-tag on your victims site.

Am I missing something? I do not see how COS is bypassed in any way.

