Authorized audit demo — JS payload smuggled inside the post image.
🧬 F-017 + F-034 — smuggled payload
The alert you just dismissed (and the console message) came from
JavaScript stored inside this post's image, not from the
blog content. The content here contains only a tiny loader that
pulls the payload out of the image's iTXt
chunk and executes it.
- F-017: the loader
<script>runs because blog content is rendered unescaped. - F-034: the payload survives upload because the server preserves every byte of PNG ancillary chunks.
- Net effect: a keyword/size-based HTML sanitizer that missed the inline loader sees ~20 lines of innocuous fetch+eval, not the hundreds of lines of malicious code it invokes.
⏳ Waiting for payload extraction and execution…
Authorized audit demo. The extracted payload is benign: alert(),
console.log(), DOM update, title change. In a real attack the
same shape would deliver a multi-stage C2 framework.
See JS_INJECTION_ATTACK_CHAINS.md
and STEGANOGRAPHY_THREAT_ANALYSIS.md.