Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - XSIO: Cross Site Image Overlaying InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

XSIO: Cross Site Image Overlaying

Published: 2007-09-12
Last Updated: 2007-09-12 00:44:51 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

I found a new paper on a vulnerability called XSIO. XSIO stands for "Cross Site Image Overlaying" and is basically the same as XSS except there is no scripting involved, but instead an image is referenced and positioned using CSS over an important part of a website.

I've seen images being used in the past to convince e.g. managers of the need to fix XSS vulnerabilities. Basically it's too hard to explain how bad XSS is without goign into some level of technical detail. It's just simpler to understand the impact of that "inappropriate" image on a website than it is to explain the website's vulnerability causes the clients to get exploited via XSS.

The defense is the same as with XSS: input and output validation, echoing back input from the user is asking for trouble.

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)
Diary Archives