Diagram source: Mozilla.org
Let’s Break It Down
As a sidebar, this is similar to how email “opens” are tracked, with the email client fetching remote images from a sender-controlled webserver using an HTML tag like the following:
<img src=’https://some-domain/img.jpg?id=1234’ />
In this case, the address contains the identifier “id=1234” which the receiving webserver parses and records as an opening of email #1234. The webserver then generally responds back with a pixel-sized image that doesn’t affect the rendering of the email. The email-receiving platform doesn’t distinguish this pixel from other graphics, and the human reader is none the wiser.
So, What’s The Catch?
var http_request = new XMLHttpRequest();
This All Sounds Terrifying. Tell Us More.
Often these types of attacks can appear in forums and comment threads where a malicious actor enters something like this as a comment:
Yes, I totally agree! <script>alert(“infected!”);</script>
Additional filtering allows only known and approved benign HTML tags to persist, such as embedded images or bold/underlining tags. This solution can be brittle, however, as many methods exist for obfuscating an XSS’ true nature. Fortunately, the Open Web Application Security Project (OWASP) has a published set of XSS techniques which can be studied and mitigated.
HDMZ is sharing this cautionary tale because we take these security precautions seriously, and, of course, we’re nerdy enough to like these sorts of details (even if you aren’t). If you’d like a simpler explanation, or if you have questions for our web hosting team about your site’s security, drop us a line.