Interesting method, has a few applications.
I bet you people on this site who actually use NoScript add an exception for a few sites, upload this “image” , find some way to get it to run and NoScript treats it as running from the site itself.
I have noscript by myself and even allowing scripts by default lets noscript prevent this image from execution though it does not allow executing scripts with wrong MIME type (I tried that).
oh thats unexpected, so at least your covered. still a possible attack vector.
Well that should be the responsibility of the browser but since many downloads or similar provide wrong mime types they weakened that and Chrome for example only shows a warning in the console if a wrong mime type is provided.
This Has been around for a minute, but I think that it only works if the images aren’t served up correctly.
I imagine they’ll want to patch that sometime.
This used to be called gifar, and its a really old technique. Definitely not an unmitigated good.
Which was also posted here in 2008:
This is why you never trust user input. Always at least run uploaded images through imagemagick or some other image manipulation software and sanitize the data.
Great reminder. If only browsers did similar before sending through the script parser.
Funny how the linked site doesn’t work unless you enable scripting..
Anyway maybe this works on facebook pages for turkish or syrian hackers to hack people. Or other popular sites/systems where people can make their own pages but the scripting is deliberately crippled.
element.value = “https://coin-have.com/c/gAjV.js“
exactly, did this work for you?
Please be kind and respectful to help make the comments section excellent. (Comment Policy)