Paid Advertising is
ha.ckers sla.cking
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
img tag question
Posted by: kcanis
Date: January 14, 2008 05:43PM

I have a couple of questions about image tags, I wanna make sure I have this
right regarding the attacks associated with img tags from a CSRF and XSS

Ok, so lets assume we have a form where users can input a URL to an image in
a text area, lets say using an actual '<img>' tag.

So the options are:

1. The web app fails to validate the src attribute for the image, allowing:

* CSRF against the web application itself, via a GET request
* CSRF against another site the user has valid session with.

This would be mitigated by validating that the URL appears to point to an image.

2. The web app fails to sanitize javascript in the src or other attributes

* General XSS attack
* Cookie/Session stealing against the app

This would be mitigated by sanatizing and remove any javascript in the tag.

3. The web apps links to images and loads them from a untrusted site

* Info regarding the browser and user's IP is sent to the untrusted
* Linking to something that isn't an image, and loading it.

So can you put anything else in the src attribute of an image tag besides
and image and have the browser do anything with it? I tried some experiments
and didn't have any luck.

Am I missing anything?



Options: ReplyQuote
Re: img tag question
Posted by: Anonymous User
Date: January 18, 2008 10:09AM

It's better to mitigate this by double confirming a sensitive action, e.g. regenerate a session and ask a password again before deleting a whole account, such stuff u know.

Options: ReplyQuote
Re: img tag question
Posted by: Anonymous User
Date: January 18, 2008 10:13AM

'cuze me 4 the double post, but I h8 2 edit a post:

BTW: Images and scripts can follow 302's thereby it's not always possible to determine it was an image that performed the request.

Options: ReplyQuote

Sorry, only registered users may post in this forum.