Image tags are an often overlooked, but convenient, means for a Cross Site
Scripting attack. The attacker can inject script contents into an image
(IMG) tag in order to steal information from a victim's browser and execute
malicious scripts.
Attack Execution Flow
Explore
Spider:
Using a browser , an attacker is looking at the
application to figure out if it allows to specify
images, upload them, etc.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a browser to manually explore the
website and identify entry points where the
application allows the upload (or other means of
specification) of images. Many browsers' plugins
are available to facilitate the analysis or
automate the discovery.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
The application has image upload
functionality.
env-Web
2
Positive
The application allows users to point to or
otherwise specify images.
env-Web
3
Inconclusive
No parameters appear to be used on the
current page. Even though none appear, the web
application may still use them if they are
provided.
env-Web
4
Negative
Applications that have only static pages or
that simply present information without accepting
input are unlikely to be susceptible.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
A list entry points where
images can be specified.
Security Controls
ID
type
Security Control Description
1
Preventative
Do not allow user
upload or specification of
images
2
Preventative
Proceed to a temporary
account lockout when the user does too many
suspicious attempts using image
upload.
Experiment
Probe identified potential entry points
for XSS vulnerability:
The attacker uses the entry points gathered in the
"Explore" phase as a target list and injects various
common script payloads to determine if an entry
point actually represents a vulnerability and to
characterize the extent to which the vulnerability
can be exploited.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manually inject various script payloads into
each identified entry point using a list of common
script injection probes that typically work in a
client-side non-script elements context and
observe system behavior to determine if script was
executed.
env-Web
2
Use an automated injection attack tool to
inject various script payloads into each
identified entry point using a list of common
script injection probes that typically work in a
client-side non-script elements context and
observe system behavior to determine if script was
executed.
env-Web
3
Use a proxy tool to record results of the
created requests.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
The output of pages includes image tags
specified by users.
env-Web
2
Positive
Output to the browser is not encoded to
remove executable scripting syntax.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The attacker's script string is
being reflected verbatim at some point in the web
site (if not on the same page). Note that
sometimes, the payload might be well encoded in
the page, but wouldn't be encoded at all in some
other section of the same web page (title,
etc.)
2
Failure
All context-sensitive
characters are consistently re-encoded before
being sent to the web browser. For example, in a
HTML tag element, the payload may not be able to
evade the quotes in order to inject another
attribute.
3
Inconclusive
Some sensitive characters are
consistently encoded, but others are not.
Depending on which type of non-script element the
payload is injected in, it may be possible to
evade the encodings.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor input to web
servers (not only GET, but all potential inputs
like COOKIES, POST, HEADER), application servers,
and other HTTP infrastructure (e.g., load
balancers). Alert on standard XSS probes. The
majority of attackers use well known strings to
check for vulnerabilities. Use the same
vulnerability catalogs that hackers
use.
2
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting
syntax
3
Preventative
Appropriately encode
all browser output to avoid scripting
syntax
4
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
As the attacker succeeds in exploiting the
vulnerability, he can choose to steal user's
credentials in order to reuse or to analyze them
later on.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Develop malicious JavaScript that is
injected through vectors identified during the
Experiment Phase and loaded by the victim's
browser and sends document information to the
attacker.
env-Web
2
Develop malicious JavaScript that injected
through vectors identified during the Experiment
Phase and takes commands from an attacker's server
and then causes the browser to execute
appropriately.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The attacker gets the user's
cookies or other session
identifiers.
2
Success
The attacker gets the content
of the page the user is
viewing.
3
Success
The attacker causes the user's
browser to visit a page with malicious
content.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor server logs
for scripting
parameters.
2
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking XSS links through forums or other web
postings, their web browsers will be providing
Referrer headers most of the time. These can help
indicate that the actual request is
illegitimate.
3
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting
syntax
4
Preventative
Appropriately encode
all browser output to avoid scripting
syntax
5
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
Forceful browsing:
When the attacker targets the current application
or another one (through CSRF vulnerabilities), the
user will then be the one who perform the attacks
without being aware of it. These attacks are mostly
targeting application logic flaws, but it can also
be used to create a widespread attack against a
particular website on the user's current network
(Internet or not).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Develop malicious JavaScript that is
injected through vectors identified during the
Experiment Phase and loaded by the victim's
browser and performs actions on the same web
site
env-Web
2
Develop malicious JavaScript that injected
through vectors identified during the Experiment
Phase and takes commands from an attacker's server
and then causes the browser to execute request to
other web sites (especially the web applications
that have CSRF vulnerabilities).
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The attacker indirectly
controls the user's browser and makes it
performing actions exploiting
CSRF.
2
Success
The attacker manipulates the
browser through the steps that he designed in his
attack. The user, identified on a website, is now
performing actions he is not aware
of.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor server logs
for scripting
parameters.
2
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking XSS links through forums or other web
postings, their web browsers will be providing
Referrer headers most of the time. These can help
indicate that the actual request is
illegitimate.
3
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting
syntax
4
Preventative
Appropriately encode
all browser output to avoid scripting
syntax
5
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
Content spoofing:
By manipulating the content, the attacker targets
the information that the user would like to get from
the website.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
2
Develop malicious JavaScript that is
injected through vectors identified during the
Experiment Phase and loaded by the victim's
browser and exposes attacker-modified invalid
information to the user on the current web
page.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The user sees a page containing
wrong information
Security Controls
ID
type
Security Control Description
1
Detective
Monitor server logs
for scripting
parameters.
2
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking XSS links through forums or other web
postings, their web browsers will be providing
Referrer headers most of the time. These can help
indicate that the actual request is
illegitimate.
3
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting
syntax
4
Preventative
Appropriately encode
all browser output to avoid scripting
syntax
5
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
Attack Prerequisites
Application permitting the inclusion or use of IMG tags
Typical Likelihood of Exploit
Likelihood: High
Techniques for discovery of XSS as well as tools and means to exploit them
are fairly widely available and understood
Methods of Attack
Injection
Examples-Instances
Description
An online discussion forum allows its members to post HTML-enabled
messages, which can also include image tags.
A malicious user can embed JavaScript in the IMG tags in his messages
that get executed within the victim's browser whenever the victim reads
these messages.
The malicious user can leverage Cross Site Scripting in image tags to
steal sensitive information, such as usernames, passwords or cookies,
and impersonate other users on the forum.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Besides the ability to figure out possibilities of injection, the
attacker requires moderate scripting skills to successfully leverage
cross site scripting in image tags
Resources Required
None
Solutions and Mitigations
In addition to the traditional input fields, all other user controllable
inputs, such as image tags within messages or the likes, must also be
subjected to input validation. Such validation should ensure that content
that can be potentially interpreted as script by the browser is
appropriately filtered.
All output displayed to clients must be properly escaped. Escaping ensures
that the browser interprets special scripting characters literally and not
as script to be executed.
Attack Motivation-Consequences
Run Arbitrary Code
Information Leakage
Injection Vector
User-controllable input to the application. Any input that can legitimately
accept and render HTML image tag can be used as an injection vector.
Payload
HTML Image tag pointing to script or location of attacker's choice.
Activation Zone
Victim's web browser.
Payload Activation Impact
Execution of the script in the victim's browser, contained in the image tag or
from the location pointed to within the image tag.
Cross-site scripting (XSS) vulnerability in Meunity Community System
1.1 allows remote attackers to inject arbitrary web script or HTML via
JavaScript in an IMG tag when creating a topic.
CVE-2006-6919
Firefox Sage extension 1.3.8 and earlier allows remote attackers to
execute arbitrary JavaScript in the local context via an RSS feed with
an img tag containing the script followed by an extra trailing
">", which Sage modifies to close the img element before the
malicious script.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
