436_XSS_03.qxd
4/19/07
3:24 PM
Page 119
XSS Theory • Chapter 3
119
Click only once on the Text Track name cell. Once the cell is ready for editing, type HREFTrack, close the window, and save the file. If you try the example shown here in your browser, you will see that you are prompted with an alert box (Figure 3.24).
Figure 3.24 QuickTime Movie XSS Exploit In Action
Unfortunately, there is a simpler way to backdoor avi movies and even MP3 files that are played inside the QuickTime browser player. A few days after the first QuickTime XSS issues was discovered, Petko Petkov posted an article on how to abuse a similar functionality in QuickTime Media Links (QTL). QTLs are simple XML files that define the properties of one or many files.They act as a mechanism for collecting movies and specifying the order they are designed to play. A simple QTL file looks like this: <?xml version="1.0"> <?quicktime type="application/x-quicktime-media-link"?> <embed src="Sample.mov" autoplay="true"/>
Notice the file format.The embed tag supports a number of parameters that are not going to be discussed here, however; it is important to pay attention on the qtnext parameter.This parameter or attribute specifies what movie to play next. For example:
www.syngress.com