XSS in IMG Tags |
Attack Pattern ID: 91 (Detailed Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
Summary
Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts.
Attack Execution Flow
Spider:
Using a browser , an attacker is looking at the application to figure out if it allows to specify images, upload them, etc.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Use a browser to manually explore the website and identify entry points where the application allows the upload (or other means of specification) of images. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-WebIndicators
ID type Indicator Description Environments 1 Positive The application has image upload functionality.
env-Web2 Positive The application allows users to point to or otherwise specify images.
env-Web3 Inconclusive No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web4 Negative Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-WebOutcomes
ID type Outcome Description 1 Success A list entry points where images can be specified.Security Controls
ID type Security Control Description 1 Preventative Do not allow user upload or specification of images2 Preventative Proceed to a temporary account lockout when the user does too many suspicious attempts using image upload.
Probe identified potential entry points for XSS vulnerability:
The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed.
env-Web2 Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed.
env-Web3 Use a proxy tool to record results of the created requests.
env-WebIndicators
ID type Indicator Description Environments 1 Positive The output of pages includes image tags specified by users.
env-Web2 Positive Output to the browser is not encoded to remove executable scripting syntax.
env-WebOutcomes
ID type Outcome Description 1 Success The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.)2 Failure All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute.3 Inconclusive Some sensitive characters are consistently encoded, but others are not. Depending on which type of non-script element the payload is injected in, it may be possible to evade the encodings.Security Controls
ID type Security Control Description 1 Detective Monitor input to web servers (not only GET, but all potential inputs like COOKIES, POST, HEADER), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use.2 Preventative Apply appropriate input validation to filter all user-controllable input of scripting syntax3 Preventative Appropriately encode all browser output to avoid scripting syntax4 Preventative Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Steal session IDs, credentials, page content, etc.:
As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
env-Web2 Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.
env-WebOutcomes
ID type Outcome Description 1 Success The attacker gets the user's cookies or other session identifiers.2 Success The attacker gets the content of the page the user is viewing.3 Success The attacker causes the user's browser to visit a page with malicious content.Security Controls
ID type Security Control Description 1 Detective Monitor server logs for scripting parameters.2 Detective Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.3 Preventative Apply appropriate input validation to filter all user-controllable input of scripting syntax4 Preventative Appropriately encode all browser output to avoid scripting syntax5 Preventative Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.Forceful browsing:
When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
env-Web2 Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).
env-WebOutcomes
ID type Outcome Description 1 Success The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.2 Success The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.Security Controls
ID type Security Control Description 1 Detective Monitor server logs for scripting parameters.2 Detective Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.3 Preventative Apply appropriate input validation to filter all user-controllable input of scripting syntax4 Preventative Appropriately encode all browser output to avoid scripting syntax5 Preventative Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.Content spoofing:
By manipulating the content, the attacker targets the information that the user would like to get from the website.
Attack Step Techniques
ID Attack Step Technique Description Environments 2 Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
env-WebOutcomes
ID type Outcome Description 1 Success The user sees a page containing wrong informationSecurity Controls
ID type Security Control Description 1 Detective Monitor server logs for scripting parameters.2 Detective Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.3 Preventative Apply appropriate input validation to filter all user-controllable input of scripting syntax4 Preventative Appropriately encode all browser output to avoid scripting syntax5 Preventative Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Likelihood: High
Techniques for discovery of XSS as well as tools and means to exploit them are fairly widely available and understood
Description
An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags.
A malicious user can embed JavaScript in the IMG tags in his messages that get executed within the victim's browser whenever the victim reads these messages.
The malicious user can leverage Cross Site Scripting in image tags to steal sensitive information, such as usernames, passwords or cookies, and impersonate other users on the forum.
Skill or Knowledge Level: Medium
Besides the ability to figure out possibilities of injection, the attacker requires moderate scripting skills to successfully leverage cross site scripting in image tags
In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered.
All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed.
User-controllable input to the application. Any input that can legitimately accept and render HTML image tag can be used as an injection vector.
Execution of the script in the victim's browser, contained in the image tag or from the location pointed to within the image tag.
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
82 | Improper Sanitization of Script in Attributes of IMG Tags in a Web Page | Targeted |
79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') | Targeted |
74 | Failure to Sanitize Data into a Different Plane ('Injection') | Secondary |
20 | Improper Input Validation | Secondary |
692 | Incomplete Blacklist to Cross-Site Scripting | Targeted |
697 | Insufficient Comparison | Targeted |
713 | OWASP Top Ten 2007 Category A2 - Injection Flaws | Targeted |
71 | Apple '.DS_Store' | Targeted |
Vulnerability ID | Relationship Description |
---|---|
CVE-2002-1808 | Cross-site scripting (XSS) vulnerability in Meunity Community System 1.1 allows remote attackers to inject arbitrary web script or HTML via JavaScript in an IMG tag when creating a topic. |
CVE-2006-6919 | Firefox Sage extension 1.3.8 and earlier allows remote attackers to execute arbitrary JavaScript in the local context via an RSS feed with an img tag containing the script followed by an extra trailing ">", which Sage modifies to close the img element before the malicious script. |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to![]() |
---|---|---|---|---|---|
ChildOf | ![]() | 18 | Embedding Scripts in Nonscript Elements | Mechanism of Attack (primary)1000 |
Never Use Unvalidated Input as Part of a Directive to any Internal Component
Treat the Entire Inherited Process Context as Unvalidated Input
Submissions | ||||
---|---|---|---|---|
Submitter | Date | Comments | ||
Chiradeep B. Chhaya | 2007-03-15 | First Draft |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise | ||
Romain Gaucher | Cigital, Inc | 2009-02-10 | Created draft content for detailed description | ||
Sean Barnum | Cigital Federal, Inc | 2009-04-13 | Reviewed and revised content for detailed description |