Cross-Site Image Overlaying (XSIO)

Overview

Cross-site Image Overlaying (XSIO) is an attack which enables an attacker to obscure parts of a compromised page with images of the attacker's choosing. This allows the attacker to carry out attacks including defacements, misinformation and phishing.

What makes a site vulnerable?

A site will be vulnerable if it allows users to enter HTML which is later displayed, where the HTML can contain at least image tags with attacker chosen attributes (especially the style attribute). If HTML can also contain hyperlinks, the attack is further enhanced. By setting the position of the image in the style attribute, the attacker can place the image over any part of the webpage, modifying the way that part of the page looks to the user. By combining this with a hyperlink, the attacker can potentially trick a visitor to a compromised page into following the attacker's links.

Impact of the attack

While not technically a site compromise, the site may be harmed through loss of reputation, etc. The attack also puts users at risk from phishing and other attacks.

Preventing the attack

To prevent the attack, a website should not accept and display images from users where the user can specify the positioning of the image on the page. Specificially, the website should not permit the attacker to specify attributes of the image tag, such as style, which allow positioning information to be set.

Website Security Book

Security for websites, web-applications and web-services