Reading another blog (SkullSecurity) the poster was talking about XSS attacks. While these are a common in many web applications today it is hard to find an XSS that will provide useful. There was also a discussion about creating an XSS within the HTML img tag. Curious I decided to see if I could replicate this, so on my Apache server I created a simple "Hello World" page. In it I put the following:
<img src="" />
I pulled up Google Chrome and loaded the web page to find nothing more then the words "Hello World" and a broken image. Now I went back and adjusted the page with the following:
<img onload="alert('XSS')" src="" />
Save and reload the page. Sure enough I'm greeted with the pop up! Now before you go plotting world domination there are some things to consider with this. This may be a quick and dirty XSS trick but it isn't as easy to get img tags into a web page. I spent some time looking around for forums or other posting sites where I might be able to try this out more effectively and there aren't many that I can find. However, like the poster at SkullSecurity mentions, image getting this into a webpage without anyone detecting it. This could cause alot of damage and just goes to show why we should all take security seriously. This won't work in IE8 or Firefox 3.6 which is why I used Chrome. It will probably work however if you have an older browser however.
0 comments:
Post a Comment