How to make more harmful injection in img src=" " with no CSP and trigger js in IMG tag

#1

Hello everyone,

when I upload image as my profile picture a PATCH request is send to PATCH image link of my profile picture, so whenever I open my profile the profile image is called by that link.

Now in that PATCH request I exchange the image link by my server IP (http://X.X.X.X:1337) and when someone open my profile, my profile image is called but as I exchanged the image link with my server IP the application send a GET request for image to my server.

When DOM is loaded it looks like: <img src="http://X.X.X.X:1337"> in img tag
there is no CSP enforced application call any IP,socket,domain, data uri.

  1. As the src is called for image even I call a js file it do no get executed it get stored as normal text.

  2. If I put a xss payload it is sent for http request.

  3. if I use data uri scheme with SVG+XML with xxs payload the image is loaded but not javascript.

Now how can I make it harmful currently I can get only IP of the Victim.

Thank you.

#2

Hey @Lethal,

Thanks for opening up discussion on getting XSS via an image tag where there’s CSP involved. I think it would be helpful as well if you can reveal the exact CSP header that is on the website that you’re working on.

Also, are you able to use JS events such as onerror to execute JS? Can you break out of the tag to create another tag?

  1. Just to call this out, it seems like there’s a CSP rule that only allows the browser to execute a src that is whitelisted. Unfortunately, this is hard to get around unless you can upload your JS file to a source within the whitelist.

  2. I’m not sure what you mean by this. Can you clarify?

  3. Again, I think we’d need more information on the exact CSP rule that is in place in the headers to give better information.

Here are some helpful sites that I use when I’m checking how to bypass CSP:

https://content-security-policy.com/


https://scotthelme.co.uk/csp-cheat-sheet/#base-uri

#3

Hello,

There is no CSP enforced. If I inject evil.com even it send GET request to it.

In DOM it looks like img src=“http://evil.com

I am not able to to break src=“ “ quote to trigger xss because the parameters which contain image link is in json format if I put “ It break the jaon format and request is not accepted by server.

#4

You may be out of luck here, unfortunately. Have you tried passing a \" or \\" in the image link to see if that breaks out in the HTML?

#5

Hello,

Yes tried a lot to break html but dint work, application make a GET request what ever is in src="" double quote,

ex: <img src="payload">

make request like http://program.com/payload to fetch image.

Thanks for the help.