Reputation: 626
xss attack with img hex code
i recently found out XSS is a big thread to my site. I have set up several measures to prevent that like filtering user input , stripping out anything relates to javascript
But i recently found out that javascript can be encoded into hex code can be used in html img code, i tried to make it myself, i found this on a XSS prevention site:
<img src=javascri pt:alert(' XSS')>
This code is javascript:
javascript:alert('XSS');
the problem is , this code is not working properly, i cant test it out to see if this kind of stuff really works.
here's the js fiddle: http://jsfiddle.net/CCgT3/
The problem is it should be outputted as
<img src="javascript:alert('XSS')">
But the fiddle show something like this(firebug):
<img XSS')="" pt:alert('="" src="javascri">
Is there something wrong with the hex?
Upvotes: 1
Views: 4133
Answers (1)
Reputation: 1544
Try to remove the spaces in the src attribute:
<img src=javascript:alert('XSS')>
Then it should work.
Upvotes: 3
Related Questions
- XSS attacks and style attributes
- Sanitize image content and remove embedded Javascript
- XSS on img tag onerror
- XSS safe img src insertion
- XSS attack with javascript in img src attribute
- Cross-site scripting from an Image
- Is this code vulnerable to XSS attacks?
- XSS via img tag, redundant semicolons?
- Broken images in XSS attacks
- How do you allow the usage of an <img> while preventing XSS?