Hide Javascript inside JPEG file

In the recent Hack.LU 2014 conference Saumil Shah from net-square gave a talk on “Hacking with Pictures”. The basic idea behind this talk is hiding Javascipt inside a JPEG file. He extended this technique to JPEG. Those who are interested to read his presentation. The slide #17 and #18 talks about how we can insert Javascript into JPEG file.

I decided to reproduce his work from my side. I chosen a good picture from my collection.


Followed the steps mentioned in both the slides. Still i was not able to execute the script. There were few issues we needed to solve before we can execute the code. The JPEG file should not have any “special” characters of Javascript. Browser engine complained about these special character(s). So i decided to replaced &, %, * characters from the original file to space (0x20). After the initial replace, i had to add a “*/” at the end of script. We had to do this to avoid the parsing error in Javascript engine.

After all the changes, the picture became:


The modified picture is not going to be close to the original picture. We still need to hide this picture from the users. We end up choosing pictures that has small number of Javascript special characters.

Here is the small HTML code i used to demonstrate:

<img src=”image.jpeg”>
<script src=”image.jpeg”>

Here is the output from the executed script:


You can download these files here. (Please rename .docx to .zip)

This entry was posted in browser, IE and tagged , , , . Bookmark the permalink.

11 Responses to Hide Javascript inside JPEG file

  1. Nico says:

    I tried to follow the same procedure without success. Can you provide a valid image or a step by step procedure? I am very curious. 🙂
    Thank you a lot and nice post

  2. wopot says:

    some old examble i made to show
    how dangerus this can be:


  3. tamadon says:

    Would you please put this file (html + jpeg in zip) for download?
    Because I can’t implement this!

    • hiddencodes says:

      I have included a “docx” file. That is actually a zip file with all the contents in it.

      • tamadon says:

        You are really awsome 🙂
        Thanks for your help…

      • Nico says:

        Thank you for this. Now i see what i was doing wrong.
        Now what is the practical use for this?
        i can see you can hide javascript code in a jpeg file. Ok now you upload the jpeg to the victim webserver but how can you execute the code if you don’t have an xss vulnerability?
        I will try to find out in my future tests but if you guys have any ideas please share 🙂

      • hiddencodes says:

        I feel this is more useful in the context of browser exploitation, not really with webapp exploitation.

  4. tamadon says:

    Am I wrong?! What’s the point?!!!
    Please check this:

  5. Dead Sek says:

    wow ! epic

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s