The Executable Image Exploit

Presented at DEF CON 15 (2007), Aug. 3, 2007, 8 p.m. (50 minutes).

The "Executable Image Exploit" lets you insert a dynamic program into any community website that allows references to off-domain images; like MySpace or eBay. By uploading the following line of HTML to a community website, <img src="http://www.mydomain.com/executable.jpg"> you can launch a dynamic program that masquerades as a static image and capable of reading and writing cookies, analyzing referrer (and other browser) variables and access databases. It is even possible to create an image the causes a browser to execute JavaScript.

Presenters:

  • Michael Schrenk
    Michael Schrenk A previous DEFCON Speaker (DC10 & DC11), Michael Schrenk has created Internet strategies for companies like: Disney, Nike, AOL and Callaway Golf. He is the author of "Webbots, Spiders, and Screen Scrapers" (2007, No Starch Press), and has written for Computer World and Web Techniques magazines. Currently, he has an article (about webbots) in the July issue of php|architect. Mike has also taught college courses on web usability and Internet marketing. You can contact him at http://www.schrenk.com.

Links:

Similar Presentations: