tags:

views:

25

answers:

1
Q: 

Externally linked images - How to prevent cross site scripting

On my site, I want to allow users to add reference to images which are hosted anywhere on the internet. These images can then be seen by all users of my site. As far as I understand, this could open the risk of cross site scripting, as in the following scenario: User A adds a link to a gif which he hosts on his own webserver. This webserver is configured in such a way, that it returns javascript instead of the image. User B opens the page containg the image. Instead of seeing the image, javascript is executed.

My current security messures are currently such, that both on save and open, all content is encoded. I am using asp.net(c#) on the server and a lot of jquery on the client to build ui elements, including the generation of image tags.

Is this fear of mine correct? Am I missing any other important security loopholes here? And most important of all, how do I prevent this attack? The only secure way I can think of right now, is to webrequest the image url on the server and check if it contains anything else than binary data...

A: 

Checking the file is indeed an image won't help. An attacker could return one thing when the server requests and another when a potential victim makes the same request.

Having said that, as long as you restrict the URL to only ever be printed inside the src attribute of an img tag, then you have a CSRF flaw, but not an XSS one.

Someone could for instance create an "image" URL along the lines of: http://yoursite.com/admin/?action=create_user&un=bob&pw=alice Or, more realistically but more annoyingly; http://yoursite.com/logout/

If all sensitive actions (logging out, editing profiles, creating posts, changing language/theme) have tokens, then an attack vector like this wouldn't give the user any benefit.

But going back to your question; unless there's some current browser bug I can't think of you won't have XSS. Oh, remember to ensure their image URL doesn't include odd characters. ie: an image URL of "><script>alert(1)</script><!-- may obviously have bad effects. I presumed you know to escape that.

Sid  2010-09-08 15:19:49

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests