Pixel Flood Attack

Why Resolution Matters..?

Resolution is in simple words, the size of an image. The goal of an image on a website is to get it to load fast. It’s useless to have massive images on your website and it takes forever to load—especially on mobile devices using a slower connection. As long as there is a image upload functionality, developer need to concern about the image resolution.

What Happen If I failed to Restrict the Image Resolution..?

If developer is failed to check and validate the image resolution while image is getting uploaded into the server, there will be lot of impact on the server when application is displaying the same image back to user. As you all know that whenever application is displaying image it will contain height and width as resolution set by developer.

eg: <img src='uploadedimagehere' height="100" width="500"/>

Originally reported at HackerOne, addressed on paperclip, if an attacker able to upload an image with maximum resolution the server failed to compress it and fetch back to the user. Attack from its resolution base called as flooding server with our pixels. Simply Pixel Flood.

Proof Of Concept:

I have came up with a simple scenario with my demo application Task Management System which will try to read the bytes of image uploaded and fetch back to the user.

Let’s take a simple image with resolution of 160×90.

Take help of Online Hex Editor and try to edit the resolution. Easy let’s make it so simple convert image resolution into hex values i.e., 160=A0, 90=5A.

Modify the height and width values to FEFE FEFE (65278×65278) and export it.

Now i am uploading image to my application and just observing the performance before uploading image into server.

Once pic got uploaded then my application failed to display all images as its cache memory got overflowed.

If we take a look at system cpu consumption its reached upto 80% due to firefox processing.

Normally in realtime scenario the target completely crashed and it will through 504 gateway timeout error or couldn’t able to read image errors.

Mitigation:

  • Paperclip released patch by hackerone https://github.com/thoughtbot/paperclip/blob/73d40d165e739193a268b54baba170ed457799ac/lib/paperclip/geometry_detector_factory.rb
  • Disable to inspecting EXIF for orientation.
  • Evils are everywhere – Sanitize everything from user including resolution.

References:

  • First reported by dutchgraa at HackerOne.
  • Based on my report at Quora.
  • PNG Flooding.
  • GIF Flooding.

2 Comments

  1. Hi, I do beⅼieve this is an excellent blog. I stumblеdupon it 😉 I will return yet again since
    I bookmarked it. Money and fгeedom is the gгeatest way to change,
    may you be rich and continue to help other people.

Leave A Comment

Your email address will not be published. Required fields are marked *