CAPEC-91 - XSS in IMG Tags

Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation
  • Sec Principles 2
  • Reluctance To Trust
  • Defense In Depth
  • Scopes 2
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality
  • Read application data
  • Confidentiality

Medium level: Besides the ability to figure out possibilities of injection, the attacker requires moderate scripting skills to successfully leverage cross site scripting in image tags

Application permitting the inclusion or use of IMG tags

None

Never Use Unvalidated Input as Part of a Directive to any Internal Component

Treat the Entire Inherited Process Context as Unvalidated Input

Step 1 - Spider

Using a browser , an attacker is looking at the application to figure out if it allows to specify images, upload them, etc..

Tecnique ID: 1 - Environment(s) env-Web

Use a browser to manually explore the website and identify entry points where the application allows the upload (or other means of specification) of images. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

The application has image upload functionality.

Indicator ID: 2 - Environment(s) env-Web

Type: Positive

The application allows users to point to or otherwise specify images.

Indicator ID: 3 - Environment(s) env-Web

Type: Inconclusive

No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.

Indicator ID: 4 - Environment(s) env-Web

Type: Negative

Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.


Security Control ID: 1

Type: Preventative

Do not allow user upload or specification of images

Security Control ID: 2

Type: Preventative

Proceed to a temporary account lockout when the user does too many suspicious attempts using image upload.


Outcome ID: 1

Type: Success

A list entry points where images can be specified.



Step 1 - Probe identified potential entry points for XSS vulnerability

The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited..

Tecnique ID: 1 - Environment(s) env-Web

Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed.

Tecnique ID: 2 - Environment(s) env-Web

Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed.

Tecnique ID: 3 - Environment(s) env-Web

Use a proxy tool to record results of the created requests.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

The output of pages includes image tags specified by users.

Indicator ID: 2 - Environment(s) env-Web

Type: Positive

Output to the browser is not encoded to remove executable scripting syntax.


Security Control ID: 1

Type: Detective

Monitor input to web servers (not only GET, but all potential inputs like COOKIES, POST, HEADER), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.

Security Control ID: 2

Type: Preventative

Apply appropriate input validation to filter all user-controllable input of scripting syntax

Security Control ID: 3

Type: Preventative

Appropriately encode all browser output to avoid scripting syntax

Security Control ID: 4

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.


Outcome ID: 1

Type: Success

The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.)

Outcome ID: 2

Type: Failure

All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute.

Outcome ID: 3

Type: Inconclusive

Some sensitive characters are consistently encoded, but others are not. Depending on which type of non-script element the payload is injected in, it may be possible to evade the encodings.



Step 1 - Steal session IDs, credentials, page content, etc.

As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on..

Tecnique ID: 1 - Environment(s) env-Web

Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.

Tecnique ID: 2 - Environment(s) env-Web

Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.

Security Control ID: 1

Type: Detective

Monitor server logs for scripting parameters.

Security Control ID: 2

Type: Detective

Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.

Security Control ID: 3

Type: Preventative

Apply appropriate input validation to filter all user-controllable input of scripting syntax

Security Control ID: 4

Type: Preventative

Appropriately encode all browser output to avoid scripting syntax

Security Control ID: 5

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.


Outcome ID: 1

Type: Success

The attacker gets the user's cookies or other session identifiers.

Outcome ID: 2

Type: Success

The attacker gets the content of the page the user is viewing.

Outcome ID: 3

Type: Success

The attacker causes the user's browser to visit a page with malicious content.


Step 2 - Forceful browsing

When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not)..

Tecnique ID: 1 - Environment(s) env-Web

Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site

Tecnique ID: 2 - Environment(s) env-Web

Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).

Security Control ID: 1

Type: Detective

Monitor server logs for scripting parameters.

Security Control ID: 2

Type: Detective

Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.

Security Control ID: 3

Type: Preventative

Apply appropriate input validation to filter all user-controllable input of scripting syntax

Security Control ID: 4

Type: Preventative

Appropriately encode all browser output to avoid scripting syntax

Security Control ID: 5

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.


Outcome ID: 1

Type: Success

The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.

Outcome ID: 2

Type: Success

The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.


Step 3 - Content spoofing

By manipulating the content, the attacker targets the information that the user would like to get from the website..

Tecnique ID: 2 - Environment(s) env-Web

Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.

Security Control ID: 1

Type: Detective

Monitor server logs for scripting parameters.

Security Control ID: 2

Type: Detective

Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.

Security Control ID: 3

Type: Preventative

Apply appropriate input validation to filter all user-controllable input of scripting syntax

Security Control ID: 4

Type: Preventative

Appropriately encode all browser output to avoid scripting syntax

Security Control ID: 5

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.


Outcome ID: 1

Type: Success

The user sees a page containing wrong information



In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered.

All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed.