javascript-js2png
javascript-js2png copied to clipboard
expobrain
How to prevent such attacks when offering image upload service?
One option to provente such kind of attack is to use tool to prevent generic Canvas Fingerprinting, that is preventing or alerting the user about JavaScript code reading the content of a canvas.
It was great, cause I cannot run. I don't know if I'm doing anything wrong, or recent browsers block it. thanks @expobrain
Hi, @expobrain ! First of all, thank you so much for interesting article and awesome example! Have you tried to run it on latest version of Chrome/Firefox? Also, as I understand, to execute code, I have to write a script which you mentioned? If yes, than how to write self-executable code? Thanks, anyway.
Hi @IgorSasovets , yes, I tested it and it still working.
If you want to hide your code in a PNG you can just use my sources out of the box, you don't need to write anything, maybe just minimise and uglify the JS loader.
However you can write your own packer and loader to use a different file format like JPG, GIF, WEBP, you name it, the concept is still the same.
I tested it in latest Firefox and all works as expected) But in Chrome I got error:
Uncaught DOMException: Failed to execute 'getImageData' on 'CanvasRenderingContext2D': The canvas has been tainted by cross-origin data.
at HTMLImageElement.<anonymous> (file:///D:/tests/javascript-js2png/html/js/loader.js:19:20)
Seems that it's blocked due to CORS requests policy. Can you please tell me how to solve this issue?
@IgorSasovets I reckon the issue is that you are loading the index.html using the file:// protocol which increase the restriction of what JavaScript can access.
If you run make server and than navigate to http://localhost:8080 it will work.
Hi, @expobrain ! Sorry for late response. I tried your approach and now it works! Thank you for support!)