The Unusual Suspects
The risk of XSS infection doesn't end once the Web site has secured itself from malicious input, modified cookies, and character encoding schemes. At its core, an XSS attack requires the Web browser to interpret some string of text as JavaScript. To this end, clever attackers have co-opted binary files that would otherwise seem innocuous.
In March 2002, an advisory was released for Netscape Navigator that described how image files, specifically the GIF or JPEG formats, could be used to deliver malicious JavaScript (http://security.FreeBSD.org/advisories/FreeBSD-SA-02:16.netscape.asc). These image formats include a text field for users (and programs and devices) to annotate the image. For example, tools such as Photoshop ...
Get Seven Deadliest Web Application Attacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
