Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: XSIO: Cross Site Image Overlaying SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
XSIO: Cross Site Image Overlaying

I found a new paper on a vulnerability called XSIO. XSIO stands for "Cross Site Image Overlaying" and is basically the same as XSS except there is no scripting involved, but instead an image is referenced and positioned using CSS over an important part of a website.

I've seen images being used in the past to convince e.g. managers of the need to fix XSS vulnerabilities. Basically it's too hard to explain how bad XSS is without goign into some level of technical detail. It's just simpler to understand the impact of that "inappropriate" image on a website than it is to explain the website's vulnerability causes the clients to get exploited via XSS.

The defense is the same as with XSS: input and output validation, echoing back input from the user is asking for trouble.

Swa Frantzen -- NET2S


760 Posts
Sep 12th 2007

Sign Up for Free or Log In to start participating in the conversation!