Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

XSS attack with javascript in img src attribute

Tags:

security

xss

Some older browsers are vulnerable to XSS attacks as such

<img src="javascript:alert('yo')" />

Current versions of IE, FF, Chrome are not.

I am curious if any browsers are vulnerable to a similar attack:

<img src="somefile.js" />

or

<iframe src="somefile.js" />

or other similar where somefile.js contains some malicious script.

like image 394
Matthew Avatar asked Nov 25 '09 17:11

Matthew


People also ask

Is JavaScript vulnerable to XSS?

In a Cross-site Scripting attack (XSS), the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The user's browser executes this malicious JavaScript on the user's computer. Note that about one in three websites is vulnerable to Cross-site scripting.

What is IMG SRC in JavaScript?

Definition and UsageThe src property sets or returns the value of the src attribute of an image. The required src attribute specifies the URL of an image. Note: The src property can be changed at any time.

What does img src => do?

The img src stands for image source, which is used to specify the source of an image in the HTML <img> tag.

How does XSS work in JavaScript?

To carry out a cross site scripting attack, an attacker injects a malicious script into user-provided input. Attackers can also carry out an attack by modifying a request. If the web app is vulnerable to XSS attacks, the user-supplied input executes as code.


2 Answers

All major browsers are still vulnerable to these attacks. Tons of ways of using img tags are still around.. For example...

<img src='#' onerror=alert(1) />

Look for RSnake's xss cheatsheet, those are just some vectors. By the way, I've heard he's coming up with a new version of his cheatsheet soon.

like image 85
pcp Avatar answered Oct 22 '22 03:10

pcp


No. Image data is never executed as JavaScript. The if the src is a JavaScript link, the JavaScript is executed, but the fundamental reading of data that comes from a request to the src does not involve JavaScript.

like image 40
Eli Grey Avatar answered Oct 22 '22 02:10

Eli Grey