Some pretty hopeless looking XSS... got any suggstions (other than 'move on')?

So, let's take a site that allows users to display avatars. This site explodes the avatar URL provided at any " or space, and the avatar has to end in .jpg, .gif or .png. Also, the avatar's input has to begin in http://

Now, it's rater easy to create an annoyance: original avatar url is http://avatarsgalore.com/myavatar.gif

so, we provide: http://avatarsgalore.com/myavatar'onerror='javascript:while(1==1){alert(document.cookie)}'.gif

and we've created an annoyance.

The trick? Implement a cookie stealer. Now, unless I'm mistaken, you cannot use any single quotes after onerror=' If you can, this becomes pragmatic at least. Right now, I see it as downright impossible.

Anyone got any suggestions?

add this line to your htaccess file

http://www.yourhost.com/images/cookie_stealer.php```

when the website asks for your gif your host will send the php file and hopefully it will execute.

you can also rename your cookie_stealer.php to cookie_stealer.gif and it should run as a php..

sakarin wrote: add this line to your htaccess file

http://www.yourhost.com/images/cookie_stealer.php```

when the website asks for your gif your host will send the php file and hopefully it will execute.

you can also rename your cookie_stealer.php to cookie_stealer.gif and it should run as a php..
This wont work, because the php or the js code, or whatever you thought would read the cookies, isnt beeing run on the target website, its being run on www.yourhost.com.