Cenzic 232 Patent
Paid Advertising
web application security lab

Cross Domain Leakage With Image Size

A few days ago I posted about how to control cross site scripting remotely.  This is a pretty powerful tool in the web application security toolkit - specifically for attackers attempting to mount remote attacks.  I did fail to mention one thing about this.  But let me start from the beginning.  Once upon a time, I was trying to get Gerv to implement content restrictions and additionally dynamically resizing iframes based on the embedded content.  Both had their uses for isolating user information in another domain or at minimum restricting what they can do in the realm of the page they are residing on.  The bug had issues going through as it is deemed a security issue to know the state of a user on another site via cross site request forgeries.

Then I started thinking about how my own image controlled XSS worked.  Because I now know the size of an image hosted remotely, I could also potentially know the state of the user.  Picture a dynamic image that, based on user state, changed it’s actual size.  It’s a fairly tricky thing to do, and very rare, but I have seen it before, “Hello, user!” verses “Hello, RSnake!” which is dynamically generated to suit the user.

There is another application that I haven’t figured out a good use for, but via things like PHP easter eggs, Apache default icons, etc… you can actually fingerprint the machine remotely.  I don’t see what value this has, particularly, unless you are using the XSS proxy idea and you really never want to touch the machine in question at all.

Another alternative is that the image is either there or not there based on the user’s state (members area directing them to a login screen which will prompt a JavaScript error that you can trap).  Again, all of these conditions may be rare, but it points to the ability to use a remote image to not only control remote cross site scripting vectors, but to also know the state of users on remote websites via CSRF.  Scary!

2 Responses to “Cross Domain Leakage With Image Size”

  1. Albert Says:

    I think content restrictions are a good thing, but with people thinking that XSS is gone, it will not eliminate the threat of XSS from a malicious website or a hacked webserver, perhaps giving a false sense of security. The problem of XSS will never go away, the convience of it outweighs the solution of getting rid of it.

  2. RSnake Says:

    Albert, that’s a very profound statement. I like to think there are solutions to the issue, I just haven’t figured them out yet. :) Content restrictions would only work if you are the webmaster of your own website and you know how to administer it. It won’t have any effect on websites out of your controll (particularly malicious ones). So yes, this is no solution to cross site scripting. It’s just another mitigating factor for the risk you take using the Internet.