Home > Blogs > XSIO - Cross-site Image Overlay: A discussion and examples

XSIO - Cross-site Image Overlay: A discussion and examples

By  Sep 11, 2007


A name has finally been given to an attack vector that has been around for some time. Using this method, an attacker can overlay their own image on top of an existing one on a webpage. Dangerous? Read on to see for yourself...

The concept of a XSIO attack has been around for a while and has been used by phishers on sites like Ebay to trick people in several ways. On this very page we have actually perform two such overlay attacks.

The first one is right above this text where you can see the image 'sethfogieIT'. Normally you would be able to see my mug shot with a few other pieces of information. However, thanks to a little XSIO code this is not the case. This is a harmless example, but can you image the confusion if I replaced the informIT.com logo at the top with a competitors logo?

The second example is off to the left and is pretty obvious...however, I could have easily blended this into the page a bit more. This example is a bit more dangerous because the image is also a hyperlink. So, imagine if I inserted an ad for a book that you wanted to buy. The link could take you to another site that looks like this one, one which I could create a cart and steal your CC information.

While the concept has been around, it was this post (http://seclists.org/bugtraq/2007/Sep/0097.html) at bugtrag that finally has given it a name and a definition. So, you can now add yet another term to the growing list of web site related attacks!

Become an InformIT Member

Take advantage of special member promotions, everyday discounts, quick access to saved content, and more! Join Today.