Little bit confused on XSS
So recently I've been playing Google's XSS App Game. On of the levels, you have to run an alert using an image on the website. For example you use inspect element to turn <img src="meme.jpg"> into <img src="gibberish" onerror="javascript:alert('123');"> which runs an alert that says 123.
I'm confused, how is this really XSS?
There's a thread about it on stackexchange here: http://security.stackexchange.com/questions/135513/what-could-an-img-src-xss-do It's also a perfect vector for CSRF, and could be used to do almost anything, if the site in question hasn't protected everything dangerous with tokens.Plus with CSRF it's all done silently in the background so the victim would be none the wiser.
at810 wrote: the image does not exist , so the error function will be handled by javascript , thus making an XSS exploit inside the function will lead to XSS exploitation .i don't think that this is a real XSS exploitation !!
The onerror is a javascript event; hence javascript is executed. The exploit is not in the javascript event (on error) as you said, but the app doesn't properly sanitise your input. Also for OP, you don't need the whole onerror="javascript:alert(1)". You have an image that doesn't exist and you say to javascript, in case of an error alert(1), so onerror="alert(1)" will do the trick.
Edited: Btw that's stored XSS and it's real AF, i don't get at810's point :|
pawnflow wrote: Wait, so you can actually do that to cause damage by just editing the image tags?
Okay let's analyse your payload
<img src="meme.jpg"> into <img src="gibberish" onerror="javascript:alert('123')">
You don't really need all that, so I've shorten it in order to explain
<img src="meme.jpg" onerror=alert(1)>
The app reflects html characters meaning you may inject HTML(and Javascript) code. In my example you insert an image (<img src="meme.jpg"). Remember that this is stored as a comment (we'll need that). Your browser will make a legit request to the server and the server will happily reply. The response is the actual source code of the page, which you can access by pressing CTRL+U, where it includes text and instructions of how the page should look like in your browser. So, your browser will go through the source code and will show you exactly what the server sent. But remember that your comment will be included in the response.
To understand that better, imagine you make a comment here in HBH and after a while someone replies to that comment. When you refresh the page, your browser will send a request in the server and the server will respond with the source code which will include the new comment. (Note that Google is smart and your payload is not actually reflected in their challenges.)
I hope you've understood that so far.
Your browser is not smart and blindly trusts the response from the server so when it will read the line in the source code that includes the "<img src="meme.jpg"" it will present you the meme.jpg image. The problem here is that when it will request the meme.jpg image from the server, the server will reply with "i have no fucking idea what is that" since that's not an actual file that exists in the server. So your browser will show you a "broken" image icon.
Now comes the second part of the payload onerror=alert(1)>
Here you call a javascript event which in case of an error it will alert 1. Remember that you already have a broken image icon which is considered an error.
So your browser will request the image, server replies with "wtf dude", browser shows broken icon, browser uses javascript to check for errors, finds broken icon, alerts 1.
alert(1) is just an example. You could have any kind of javascript payload. For example instead of 1 you could say alert(document.cookie) which will alert your cookie. Or you could use javascript to redirect the user in another website.
Note that if you manage to do that in a public forum every user's browser that requests that page will get a response with the malicious comment in it and will execute it. (stored xss)