[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] img src , cant get it!

From: "Esteban RibiÄiÄ" <kisero@xxxxxxxxx>
Subject: [WEB SECURITY] img src , cant get it!
Date: Mon, 1 Jan 2007 15:45:53 +0000

------=_Part_123203_6994239.1167666353964
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

hi,

I'm testing some web app we have in our office which are about to be public.
Users can upload images, i tried uploading an image with this content:

"<IMG
SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>"

expecting an XSS alert to be displayed...

if i request the image directly i get the alert("xss") ... but if the image
is requested from the the "profile" page , which has the href link to the
image, (where a href to the img exist) i get a 304 error...

can anyone explain or give me a reference where i can understand what is
wrong?

i know its a very simple case, well, i guess I'm just on the initial
learning path :-P

i wanted to test the input fields for tags like href, img, ', ", etc to see
if the code is vulnerable to more xss input (permanent or not) ... can
anyone recommend me an application? i was about to code something...but my
laziness is killing me :)

many thanks
have a great 2007

------=_Part_123203_6994239.1167666353964
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<div>hi,</div>
<div>&nbsp;</div>
<div>I&#39;m testing some web app we have in our office which are about to be public. Users can upload images, i tried uploading an image with this content:</div>
<div>&nbsp;</div>
<div>&quot;&lt;IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;&gt;&quot;
</div>
<div>&nbsp;</div>
<div>expecting an XSS alert to be displayed...</div>
<div>&nbsp;</div>
<div>if i request the image directly i get the alert(&quot;xss&quot;) ... but if the image is requested from the the &quot;profile&quot; page , which has the href link to the image, (where a href to the img exist) i get a 304 error...
</div>
<div>&nbsp;</div>
<div>can anyone explain or give me a reference where i can understand what is wrong? </div>
<div>&nbsp;</div>
<div>i know its a very simple case, well, i guess I&#39;m just on the initial learning path :-P</div>
<div>&nbsp;</div>
<div>i wanted to test the input fields for tags like href, img,&nbsp;&#39;, &quot;, etc to see if the code is vulnerable to more xss input (permanent or not) ... can anyone recommend me an application? i was about to code something...but my laziness is killing me :)
</div>
<div>&nbsp;</div>
<div>many thanks</div>
<div>have a great 2007</div>
<div>&nbsp;</div>
<div>&nbsp;</div>

------=_Part_123203_6994239.1167666353964--

Prev by Date: [WEB SECURITY] Vulnerability Scanners Review Published
Next by Date: [WEB SECURITY] Google’s blacklisted url database (phishing url database)
Previous by thread: [WEB SECURITY] Vulnerability Scanners Review Published
Next by thread: RE: [WEB SECURITY] img src , cant get it!
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site