Home > Cloud Computing > Cloud Security

Advanced XSS Series: XSS in JPEG (IE Only)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Well... This is a really bad, bad thing Micro $ oft has done (Again !!!) With IE. They let IE render jpg images with html in them! Even if there is no image! And check this out, this is how easy it is.

Step 1:

Download Notepad ++ (Its free). You can do this with notepad but, notepad ++ is much better (It has lots of plugins etc .).

Step 2:

Make a new txt file. Open it with notepad/notepad ++ and add the following lines:

<Html>
<Body>
<Script> alert (XSS); </script>
</Body>
</Html>

Step 3:

Remove the. txt and rename to. jpg. Open in IE ....

Simple right !!!!! How dumb are they? Allowing html in a jpg to render with no problems!

Note: This will not work if the image is embedded in a page. it must be linked directly. if it wocould work when embedded in html this forum wocould be vulnerable (Injecth4x or Volume might want to fix that... scratch that. you definitely want to fix that ). volume said it wasnt working on his Internet Explorer so maybe its patched. it is confirmed working in IE 7.0.60001.18000 and earlier.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More