Home/ Questions/Q 590549
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T15:32:30+00:00

From ha.ckers.org/xss.html : IMG Embedded commands – this works when the webpage where this

  • 0

From ha.ckers.org/xss.html:

IMG Embedded commands – this works
when the webpage where this is
injected (like a web-board) is behind
password protection and that password
protection works with other commands
on the same domain. This can be used
to delete users, add users (if the
user who visits the page is an
administrator), send credentials
elsewhere, etc…. This is one of the
lesser used but more useful XSS
vectors:

<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">

or:

Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser

I allow users to post images in the forum. How can this be protected against?

I’m using Java Struts but any generic answers are welcome.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you follow the rules of the HTTP specification, such a kind of attack will make no harm. The section 9.1.1 Safe Methods says:

    […] GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered “safe”. This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

    Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them.

    So all requests that change data on the server side should only be allowed via POST. And even there you should only allow those requests that your system has authenticated by generating tokens that are only valid for a specific form/action.

    • 0