This could become a massive vulnerability since many sites or blogs out there allow user to post image on their article’s comment. As my small research, I found out that we could launch a HTML Injection, XSS and even CSRF attack to sites that vulnerable to this. Here is the PoC :
The method is the same as my Pop Up Method, it triggered javascript inside image error handler hence it bypasses javascript filter. This apply to sites that allow users to post image on their comments.
By :
Zoiz [at]
Massive HTML Injection VulnerabilityNothing is Secure
No comments:
Post a Comment