Name XSS in IMG Tags
Summary Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts.
Prerequisites Application permitting the inclusion or use of IMG tags
Solutions In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered. All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed.
Related Weaknesses
CWE ID Description
CWE-20 Improper Input Validation
CWE-71 DEPRECATED: Apple '.DS_Store'
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
CWE-692 Incomplete Blacklist to Cross-Site Scripting
CWE-697 Incorrect Comparison
CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
Back to Top