|
|
|
|
|
|
by xnyhps
3490 days ago
|
|
|
Re-encoding is not enough to prevent attackers from constructing polyglots, see https://www.idontplaydarts.com/2012/06/encoding-web-shells-i... > Placing shells in IDAT chunks has some big advantages and should bypass most data validation techniques where applications resize or re-encode uploaded images. You can even upload the above payloads as GIFs or JPEGs etc. as long as the final image is saved as a PNG. An attacker will likely be able to figure out the exact re-encoding you apply, so unless you add some form of randomness, the attacker can work backwards to get the payload they want included. |
|
|