Image XSS is very interesting concept...Inspired by Saumil Shah's one of video, I decided to try it out and it worked well!..Interesting!..
Just for reference am putting these things here on my blog.
First this we will need simple "GIF" Extension File, why????? because it simply starts with : GIF89a
Anything after this will be your actual GIF Image file contents.
If we create GIF file (test.gif) as below through Hex Editor :
If it would be Java Script, GIF89a will be considered as a Variable, /*....../* will be comments
But currently it is just an Image!....not a java script...what if we create test.html file with below content :
Now you can place all pieces together and will get something like :
<script src="GIF89a/*.......*/=0;alert("eXploi13r Here")">
It is self explanatory...!!!!
Be aware, simple GIF Images may contain, malicious scripts....!!! :)