Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

XSS Avatar?


ghost's Avatar
0 0

I found an older web forum that does not have very good filters on what exactly your aloud to upload as an "avatar". I know that when you load a post or thread with soemones avatar on it your browser goes the the site thats hosting that image to download it, but does that mean that you could trick there browser into executing some javascript that you have on your webserver? If it goes there to get the image can it be redirected to another site? I don't know what exactly can be done with this. Can you steal there cookies, or run any javascript of your choice because there browser is at your site anyway? Or is it only there for an image and if there is no image then it just ignores the site and does nothing?