ok, first off, don’t do this…
Let’s say you find a website where you can add “script” tags to a page. Well usually, you can’t do anything with it since browsers won’t let you execute a file from another site. To work around that, we can load a gif in the source:
[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]
<script src="something.gif"></script>[/pastacode]
Well, your browser will think that’s fine, but it will also to to interpret the encoding of the image as javascript. So now all we need to do is insert some ascii chars…
mn has a good tutorial on how to finish this up over here: http://jklmnn.de/imagejs/
Here are some more resources:
- http://hackaday.com/2014/11/15/hiding-executable-javascript-in-images-that-pass-validation/
- http://iamajin.blogspot.in/2014/11/when-gifs-serve-javascript.html
- https://code.google.com/p/corkami/
- https://twitter.com/angealbertini
Have fun!