A security researcher named sven.vetsch first discovered cross-site image-overlaying (XSIO) attacks. Sven.vetsch adjusted the picture style to cover any place that was specified.
<img src=http://disenchant.ch/powered.jpg style=position:absolute; right:320px;top:90px;/>
The logo picture of the page is covered and points to the site of sven.vetsch. If you click the logo image, you will be linked to sven.vetsch’s site. If this is a phishing site, users are likely to be cheated.
XSIO (cross-site image overlaying) is different from XSS (cross-site scripting); it uses the style of the picture, or is able to control the CSS. If there is no limit to the application of style for absolute position, pictures can cover any position on the page, which leads to clickjacking.
The Baidu Space also has this problem.* The code is as follows:
<img src="http://img.baidu.com/hi/img/portraitn.jpg" style="position: absolute;left:123px;top:123px;">
The picture can also appear as a normal link or button, or the attacker can construct some text in the picture, covering the key position. In this way, it is possible to completely change the page; thus, a user can be deceived even without clicking.
For example, modifying the page by XSIO will deceive a lot of users. The <img> label is open to users in many systems, so there are a lot of sites under possible attack by XSIO. To defend against XSIO, we need to know if the style attribute for <img> tags in the HTML code submitted will cause overflowing.