Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos
"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"
jpg and loading it in IE will result in executing the JavaScript. This is also a great way to attempt to inject Flash cross-domain policies. Simply place the Flash security policy XML content in the GIF comment and ensure that the GIF file does not contain extended ASCII characters or NULL bytes. You can also inject HTML in the image data section, rather than the comment, of uncompressed image files such as XPM and BMP files. Using Flash for HTML Injection In most HTML injection scenarios, an attacker can inject arbitrary HTML. For instance, the attack could inject an object and/or embed a tag that would load a Flash application in that domain. Here??™s an example:
This HTML is a little cumbersome, but it will give a Flash application the same control that a JavaScript application has, such as read cookies (via the ExternalInterface class), change the way the web page looks (via the ExternalInterface class), read private user data (via the XML class), and make HTTP requests on the victim??™s behalf (via the XML class).