1

I'm currently trying to find a vulnerability in a website (yes, I have permission). I found a url with a parameter that, when I change the text in it, that text is set as the name for the background image. Ex. when I change the url parameter text to 'anytexthere', this is what the block of code will look like:

<div style="background-image: url('/images/logo-anytexthere.png')"></div>

Is it possible to exploit this? I've tried unicode brackets and normal HTML code, and the unicode/normal HTML brackets are just removed in the image name.

tldr; url parameter text gets returned into background image name in the page's code, but removes brackets/special characters. How can I exploit this?

Improve this question
10
  • 1
    Are single and double quotes removed? Commented Aug 9, 2017 at 23:11
  • 1
    what about "`"? Commented Aug 9, 2017 at 23:13
  • 1
    @dandavis Out of curiosity - what would you do with backticks? Commented Aug 9, 2017 at 23:14
  • 1
    @Arminius: they are valid string delims in JS now, but if he can't find a way out of the attrib context, it likely doesn't matter. Commented Aug 9, 2017 at 23:15
  • 1
    @dandavis Sure, but they wouldn't help inside a CSS string inside an HTML attribute, so leaving them would probably be fine. Commented Aug 9, 2017 at 23:18

1 Answer 1

Reset to default
2

Since you can't use ' and ", there is no way to get out of the CSS string context to achieve XSS.

If single quotes were allowed, you could have injected CSS attributes, e.g.:

'); color: red; /*

If double quotes were allowed, you could have injected an HTML attribute, e.g.:

" onmouseover="alert('Where is my bounty')

If angle brackets were allowed (but not quotes), you would still have no chance to inject custom HTML. Something like this does not trigger:

<div style="background-image: url('/images/logo-><script>alert(1)</script>.png')"></div>

So what you're left with is the ability to change the image path to any URL on the same domain. E.g.:

<div style="background-image: url('/images/logo-/../../favicon.ico?.png')"></div>

As you can guess, this has a very limited security impact. In the rare case that the site implements CSRF protection solely based on the Referer header, you might be able to use this for CSRF attacks. But otherwise, there is no obvious way to exploit this behavior.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.