Polyglot File

PNG  ✕  HTML  — same bytes, two identities

File Polyglot MIME Confusion XSS Vector Content-Type Bypass
How it works
📄
Source
png.html
served
🌐
Browser
decides context
splits
🖼️
As <img>
Decode PNG
📦
As <iframe>
Parse HTML
Live Demo
<img> renderer Image context
polyglot rendered as image
Valid PNG — no errors
Script cannot execute here
<iframe> renderer  Live
JavaScript executed
File structure (conceptual)
89 50 4E 47
PNG magic bytes
IHDR …
PNG header chunks
… payload …
Shared region
<script>
HTML + JS hidden
alert(…)
Executes in iframe
Parsed by image decoder
Parsed by HTML engine
Tolerated by both
Attack surface
Why it matters

An attacker can upload what appears to be an innocent image to a file-hosting service. If any page later embeds it in an <iframe> or serves it without a strict Content-Type, the hidden script runs in the victim's browser.

The defence

Always serve user uploads with an explicit Content-Type: image/png + X-Content-Type-Options: nosniff. Never trust the file extension alone.

Polyglot file hosted at 331.cybersec.fun  ·  Educational use only. Page design by claude.ai.