2

In a scenario where an attacker has control over the src attribute of an img HTML tag, they could easily inject a simple JavaScript XSS payload like the following:

<img src="javascript:alert(1)">

The attacker can not manage to leave the src context. For example, the code that causes the above cause could be similar to the following:

// Make new image
img = document.createElement('img');
// Set source to hash
img.src = location.hash.substring(1);

// URL is controlled by attacker, so hash can be whatever they want. For example:
// https://ourserver.com/stuff#javascript:alert(1)

If you try to run the example scenario above in your own browser, you will probably observe that nothing happens. This is because JavaScript has apparently been deprecated in the src (after IE version 6) and style (after IE version 10) attributes in img tags. The issue with this is that I could not manage to find any explicit rule that says that a browser should not execute JavaScript in this context (as it is a URI, it should be valid).

This all leads me to the big question- is this example code secure? Is there any spec that details that in all future browser versions, JavaScript should not execute in src or script tags? Yes, there are many answers (see above) on Security SE that mention that XSS should not happen in these cases, but is there a guarantee?

Xiddoc
  • 123
  • 8
  • 1
    Related: https://security.stackexchange.com/questions/135513/what-could-an-img-src-xss-do/135518 – mti2935 Dec 30 '21 at 13:32
  • 1
    Very helpful, thank you! The CSRF exploit usage sounds interesting (`src="/deleteUser"`), but none of the other answers seemed to detail a working example of XSS, or at least the opposite (a guarantee that a browser should NOT execute JS in the `src` context). I tested out the SVG context exploit myself, but all possible JS contexts seem to be [patched](https://www.w3.org/Graphics/SVG/IG/resources/svgprimer.html#SVG_image) (such as `onmouseover`, etc.). – Xiddoc Dec 30 '21 at 13:59

1 Answers1

1

The HTML spec states that the src attribute must point to a valid image resource that is neither paged nor scripted.

The src attribute must be present, and must contain a valid non-empty URL potentially surrounded by spaces referencing a non-interactive, optionally animated, image resource that is neither paged nor scripted.

...

However, these definitions preclude SVG files with script, multipage PDF files, interactive MNG files, HTML documents, plain text documents, and the like.

Whether a future browser complies with this or not is a different story.

nobody
  • 11,251
  • 1
  • 41
  • 60
  • Thank you! I'd like to think that major browsers generally tend to stay within the boundaries of the spec, right? – Xiddoc Dec 30 '21 at 20:24
  • 1
    @Xiddoc Hopefully they do, but you never know when an overworked dev decides to comment out a line of code because it is causing a weird [heisenbug](https://en.wikipedia.org/wiki/Heisenbug) and no one notices for a couple of years. Plus, specs can change (although this particular one is not likely to change since it seems security related.) – nobody Dec 30 '21 at 20:36