Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Little bit confused on XSS


pawnflow's Avatar
Member
0 0

So recently I've been playing Google's XSS App Game. On of the levels, you have to run an alert using an image on the website. For example you use inspect element to turn <img src="meme.jpg"> into <img src="gibberish" onerror="javascript:alert('123');"> which runs an alert that says 123.

I'm confused, how is this really XSS?

Link: https://xss-game.appspot.com/


MingBomb's Avatar
Member
0 0

On its own it's not particularly dangerous, but you could use it for CSRF, or to call external js, and then it would become more of an issue.


at810's Avatar
Member
0 0

the image does not exist , so the error function will be handled by javascript , thus making an XSS exploit inside the function will lead to XSS exploitation .i don't think that this is a real XSS exploitation !!


gobzi's Avatar
Member
10 0

at810 wrote: the image does not exist , so the error function will be handled by javascript , thus making an XSS exploit inside the function will lead to XSS exploitation .i don't think that this is a real XSS exploitation !!

The onerror is a javascript event; hence javascript is executed. The exploit is not in the javascript event (on error) as you said, but the app doesn't properly sanitise your input. Also for OP, you don't need the whole onerror="javascript:alert(1)". You have an image that doesn't exist and you say to javascript, in case of an error alert(1), so onerror="alert(1)" will do the trick.

Edited: Btw that's stored XSS and it's real AF, i don't get at810's point :|


pawnflow's Avatar
Member
0 0

Wait, so you can actually do that to cause damage by just editing the image tags?


gobzi's Avatar
Member
10 0

pawnflow wrote: Wait, so you can actually do that to cause damage by just editing the image tags?

Okay let's analyse your payload

<img src="meme.jpg"> into <img src="gibberish" onerror="javascript:alert('123')">

You don't really need all that, so I've shorten it in order to explain

<img src="meme.jpg" onerror=alert(1)>

The app reflects html characters meaning you may inject HTML(and Javascript) code. In my example you insert an image (<img src="meme.jpg"). Remember that this is stored as a comment (we'll need that). Your browser will make a legit request to the server and the server will happily reply. The response is the actual source code of the page, which you can access by pressing CTRL+U, where it includes text and instructions of how the page should look like in your browser. So, your browser will go through the source code and will show you exactly what the server sent. But remember that your comment will be included in the response.

To understand that better, imagine you make a comment here in HBH and after a while someone replies to that comment. When you refresh the page, your browser will send a request in the server and the server will respond with the source code which will include the new comment. (Note that Google is smart and your payload is not actually reflected in their challenges.)

I hope you've understood that so far.

Your browser is not smart and blindly trusts the response from the server so when it will read the line in the source code that includes the "<img src="meme.jpg"" it will present you the meme.jpg image. The problem here is that when it will request the meme.jpg image from the server, the server will reply with "i have no fucking idea what is that" since that's not an actual file that exists in the server. So your browser will show you a "broken" image icon.

Now comes the second part of the payload onerror=alert(1)>

Here you call a javascript event which in case of an error it will alert 1. Remember that you already have a broken image icon which is considered an error.

So your browser will request the image, server replies with "wtf dude", browser shows broken icon, browser uses javascript to check for errors, finds broken icon, alerts 1.

alert(1) is just an example. You could have any kind of javascript payload. For example instead of 1 you could say alert(document.cookie) which will alert your cookie. Or you could use javascript to redirect the user in another website.

Note that if you manage to do that in a public forum every user's browser that requests that page will get a response with the malicious comment in it and will execute it. (stored xss)


pawnflow's Avatar
Member
0 0

Sorry for the late response, pretty helpful info there. Thanks.