For example, if IE 7 and earlier
tries to load an image or other non-HTML responses and fails to do so, it treats the
response as HTML. To see this, create a text file containing this:
Then save it as alert.jpg. Loading this ???image??? in IE from the URL address bar or an
iframe will result in the JavaScript being executed. Note that this does not work if the file
is loaded from an image tag.
Generally, if you attempt to upload such a file to an image hosting service, it will
reject the file because it is not an image. Image hosting services usually disregard the file
extension and look only at the magic number (the first few bytes) of the file to determine
the file type. Thus, an attacker can get around this by creating a GIF image with HTML
in the GIF comment and save the GIF with the .jpg file extension. A single-pixel GIF is
shown here:
00000000 47 49 46 38 39 61 01 00 01 00 80 00 00 ff ff ff |GIF89a..........|
00000010 ff ff ff 21 fe 19 3c 73 63 72 69 70 74 3e 61 6c |...!...|
00000030 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b |,...........D..;|
Chapter 2: Cross-Site Scripting 43
Naming this file test.
Pages:
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119