Home > CAPEC List > CAPEC-91: XSS in IMG Tags (Version 2.6)  

CAPEC-91: XSS in IMG Tags

 
XSS in IMG Tags
Definition in a New Window Definition in a New Window
Attack Pattern ID: 91
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts.

+ Attack Execution Flow
Explore
  1. Spider:

    Using a browser , an attacker is looking at the application to figure out if it allows to specify images, upload them, etc.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use a browser to manually explore the website and identify entry points where the application allows the upload (or other means of specification) of images. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The application has image upload functionality.

    env-Web
    2Positive

    The application allows users to point to or otherwise specify images.

    env-Web
    3Inconclusive

    No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.

    env-Web
    4Negative

    Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    A list entry points where images can be specified.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Do not allow user upload or specification of images
    2Preventative
    Proceed to a temporary account lockout when the user does too many suspicious attempts using image upload.
Experiment
  1. Probe identified potential entry points for XSS vulnerability:

    The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed.

    env-Web
    2

    Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed.

    env-Web
    3

    Use a proxy tool to record results of the created requests.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The output of pages includes image tags specified by users.

    env-Web
    2Positive

    Output to the browser is not encoded to remove executable scripting syntax.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.)
    2Failure
    All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute.
    3Inconclusive
    Some sensitive characters are consistently encoded, but others are not. Depending on which type of non-script element the payload is injected in, it may be possible to evade the encodings.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor input to web servers (not only GET, but all potential inputs like COOKIES, POST, HEADER), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
    2Preventative
    Apply appropriate input validation to filter all user-controllable input of scripting syntax
    3Preventative
    Appropriately encode all browser output to avoid scripting syntax
    4Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Exploit
  1. Steal session IDs, credentials, page content, etc.:

    As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.

    env-Web
    2

    Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker gets the user's cookies or other session identifiers.
    2Success
    The attacker gets the content of the page the user is viewing.
    3Success
    The attacker causes the user's browser to visit a page with malicious content.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor server logs for scripting parameters.
    2Detective
    Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
    3Preventative
    Apply appropriate input validation to filter all user-controllable input of scripting syntax
    4Preventative
    Appropriately encode all browser output to avoid scripting syntax
    5Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
  2. Forceful browsing:

    When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site

    env-Web
    2

    Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
    2Success
    The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor server logs for scripting parameters.
    2Detective
    Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
    3Preventative
    Apply appropriate input validation to filter all user-controllable input of scripting syntax
    4Preventative
    Appropriately encode all browser output to avoid scripting syntax
    5Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
  3. Content spoofing:

    By manipulating the content, the attacker targets the information that the user would like to get from the website.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    2

    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The user sees a page containing wrong information

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor server logs for scripting parameters.
    2Detective
    Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
    3Preventative
    Apply appropriate input validation to filter all user-controllable input of scripting syntax
    4Preventative
    Appropriately encode all browser output to avoid scripting syntax
    5Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
+ Attack Prerequisites
  • Application permitting the inclusion or use of IMG tags

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

Techniques for discovery of XSS as well as tools and means to exploit them are fairly widely available and understood

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags.

A malicious user can embed JavaScript in the IMG tags in his messages that get executed within the victim's browser whenever the victim reads these messages.

The malicious user can leverage Cross Site Scripting in image tags to steal sensitive information, such as usernames, passwords or cookies, and impersonate other users on the forum.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

Besides the ability to figure out possibilities of injection, the attacker requires moderate scripting skills to successfully leverage cross site scripting in image tags

+ Resources Required

None

+ Solutions and Mitigations

In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered.

All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
+ Injection Vector

User-controllable input to the application. Any input that can legitimately accept and render HTML image tag can be used as an injection vector.

+ Payload

HTML Image tag pointing to script or location of attacker's choice.

+ Activation Zone

Victim's web browser.

+ Payload Activation Impact

Execution of the script in the victim's browser, contained in the image tag or from the location pointed to within the image tag.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
Client-Server
SOA
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated: December 04, 2014