Source: Loveshell
Well, there are too many things... the previous questions about xsrf and portscan are ignored silently. Yesterday I saw a very interesting one. <script>
Var winrar = new Image ();
Winrar. src = "res: // C: \ Program % 20Files \ WinRAR \ WinRAR.exe/#2/101 ";
If (winrar. height! = 30)
{
Document. write ("winrar ");
}
Winrar =;
</Script>
Hey, can you detect the installed software? By the way, the res protocol is used to locate resources in ie. For example, you can locate a resource in an exe file and use exists to analyze it. the src of img has no domain restrictions, and the src attribute does not seem to have any restrictions ...... but ff seems a little different --!
The other is the role of Penetration. Many emails support multimedia or html, but certainly scripts won't be supported (for example, My foxmail script, iframe, or event won't be parsed), but they parse the img tag .... if we point src to our address, we can collect information about the other party .... useragent? OS? Path? Mail client? Loginname ?..... This person's usage habits