| Attack Pattern ID | Pattern Abstraction: Detailed 91 |
| Typical Severity | High |
| Description | Summary
Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts.
|
| Attack Prerequisites | Application permitting the inclusion or use of IMG tags |
| Typical Likelihood of Exploit |
High
Techniques for discovery of XSS as well as tools and means to exploit them are fairly widely available and understood
|
| Methods of Attack | |
| Examples-Instances | Description An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags.
A malicious user can embed JavaScript in the IMG tags in his messages that get executed within the victim's browser whenever the victim reads these messages.
The malicious user can leverage Cross Site Scripting in image tags to steal sensitive information, such as usernames, passwords or cookies, and impersonate other users on the forum. |
| Attacker Skill or Knowledge Required | Medium: Besides the ability to figure out possibilities of injection, the attacker requires moderate scripting skills to successfully leverage cross site scripting in image tags |
| Resources Required | None |
| Solutions and Mitigations | In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered. All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed. |
| Attack Motivation-Consequences | - Run Arbitrary Code
- Information Leakage
|
| Context Description |
It is a misconception that Cross Site Scripting can be perpetrated only through input fields, such as text boxes or select fields.
Image tags can be equally well abused to inject script into the victim's browser. The "src" attribute within the IMG tags points to the source of the image to be displayed.
Since the source attribute allows the victim's browser to request content from locations other than the original server, an attacker can make this attribute point to a location of his choosing. Making the victim point to such a location is accomplished by the traditional means of having the victim click on a link; however, script execution can also be achieved by simply having the victim view a message on a bulletin board.
Second-order cross site scripting is the predominant means of script injection when using IMG tags.
|
| Injection Vector | User-controllable input to the application. Any input that can legitimately accept and render HTML image tag can be used as an injection vector. |
| Payload | HTML Image tag pointing to script or location of attacker's choice. |
| Activation Zone | Victim's web browser. |
| Payload Activation Impact | Execution of the script in the victim's browser, contained in the image tag or from the location pointed to within the image tag. |
| Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 82 | Failure to Sanitize Script in Attributes of IMG Tags in a Web Page | Targeted | | 79 | Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS)) | Targeted | | 74 | Failure to Sanitize Data into a Different Plane (aka 'Injection') | Secondary | | 20 | Insufficient Input Validation | Secondary |
|
| Related Vulnerabilities | | Vulnerability-ID | Vulnerability Description |
|---|
| CVE-2002-1808 | Cross-site scripting (XSS) vulnerability in Meunity Community System 1.1 allows remote attackers to inject arbitrary web script or HTML via JavaScript in an IMG tag when creating a topic. | | CVE-2006-6919 | Firefox Sage extension 1.3.8 and earlier allows remote attackers to execute arbitrary JavaScript in the local context via an RSS feed with an img tag containing the script followed by an extra trailing ">", which Sage modifies to close the img element before the malicious script. |
|
| Related Security Principles | - Reluctance To Trust
- Defense In Depth
|
| Related Guidelines | - Never Use Unvalidated Input as Part of a Directive to any Internal Component
- Treat the Entire Inherited Process Context as Unvalidated Input
|
| Purpose | Penetration Exploitation |
| CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
|
| Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| Client-Server | All | All | All |
|
| Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | | 2007-03-15 | First Draft |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise |
|
