Optical Character Recognition(OCR) is the process of electronically extracting text from images or any documents like PDF and reusing it in a variety of ways such as full-text searches, invoice processing, document verification etc. This one such use case will be harmful as obvious when those extracted texts/results are used somewhere within the application or being reflected without validation.
So we just need to prepare an image containing our XSS vector which if the parser parses and reflects the output to the users it will lead to XSS.
I will take simple jpg as an example
you can create an image like that from here.
I am using tesseract for OCR along with a simple flask server which accepts the image as input and it parses and reflects back the extracted content to the admin or another user. You can find the code here.
- To start hit python ocr.py
- Now visit local server 127.0.0.1:5000
- Upload the above file
- Now visit /admin/ocr/files
- you will see the alert
Similarly, create an image with the tag or blind XSS payload to confirm a pingback to your local server.
Different parser acts differently to some character like tesseract will treat forward slash “/” as L so when you will put http:// it will become http:/l because of which it won’t work in the browser so for that I am using backslashes. like that, we have to figure out for others too.
Here I am using ngrok.io just for confirming the ping you can use burp collaborator or any other tool. So create your image with this content and upload and see if you get any hits.
If you are using OCR services not only filename but also sanitize the extracted text from the image or pdf before storing them into DB.
Once you upload an image check the response whether the contents of an image are also reflected? if yes it’s possible somewhere it is being used and if there is no check on how the output text is being reflected then it can lead to the XSS especially apps which are using OCR services.
So next time when you see any application asking for KYC or for uploading scanned documents, passport size photo, document verification you can mess around it.
Hope it helps thanks.