In this example, Alice is an administrator on Site A, a blog. Mallory is an anonymous user of Site A; she cannot log in but she can post anonymous comments on the blog entries. The blog posts and comments are filtered with a system called RedCloth, an implementation of the textile markup system in Ruby.
The beginning of this scenario is much like the previous scenario. Alice opens her web browser, logs in and creates a new blog post. Alice uses various RedCloth tags to format her blog post, inserting several images and a table. After she is finished, Alice remains logged into Site A.
Mallory opens Site A in her web browser. After reading the post Alice just wrote, she decides to leave a rather interesting comment in the hopes Alice will read it. The comment reads as follows:
Alice, I enjoyed your post very much.
Once passed through the RedCloth filter, the followng HTML will be produced.
<p>Alice, I enjoyed your post very much.</p> <p><img src="http://sitea/posts/create/?post[title]=DEFACED&post[body]=DEFACED" alt="" /></p>
The blog application is configured to notify Alice by email every time there is a comment posted. Alice promptly checks her latest blog post and reads Mallory's comment. As soon as Alice's web browser opens the page containing the comment, it will make a GET request to the URL in the src attribute of the IMG tag, which in this case creates a new blog post. Since Site A's response to the GET request isn't an image, Alice's web browser will display the "broken image" icon. Assuming the image in Mallory's comment is simply broken, Alice thinks nothing is wrong.
The Attacker's Restrictions
Mallory had some things to consider in crafting this attack. Since RedCloth doesn't allow you to create arbitrary tags such as forms or IFRAMEs, the attack would have to use a GET request. There are two primary ways of tricking Alice into making a GET request: display a link and hope she'll click on it, or use an IMG tag. Since Alice may not click on a link and will see Site A's response to creating the blog post, Mallory decides to use an IMG tag.
There are still some restrictions Mallory must work around. The overall length of the string allowed by RedCloth in the src attribute of an IMG tag is limited, so Mallory can't leave a long message. To be sure her attack will work, she first installs the RedCloth gem on her computer to experiment.
The Role of Whitelist HTML Filters
Some sites don't use a markup language like RedCloth, but instead attempt to filter HTML. Such filters are often referred to a "whitelist HTML filters" as they define a list of tags they want their users to be able to use. However, filtering HTML can be tricky.
In this example, Site A implements an HTML whitelist filter. It allows the IMG tag to be used, as well as its src, width, height, and alt attributes. There are no restrictions on the length or format of text that can go into any of these attributes.
Mallory will have no trouble formulating her attack this time. In fact, since she has the ability to set the width and height of the IMG tag, she also has the advantage of Alice not noticing the image at all. Mallory posts the following comment with IMG tag to Alice's new blog post.
Alice, I enjoyed your post very much!
<img width=0 height=0 src="http://sitea/posts/create/?post[title]=DEFACED&post[body]=I_just_defaced_your_site" />
When Alice sees Mallory's comment, her Web browser will make a GET request just as it did in the previous example. However, since the image is only one pixel wide and one pixel high, the "image broken" icon won't be displayed at all.