Recently encountered an awsome blog: http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html#more. The author describe how he can use javascript to craft the HTTP POST Request such that an attacker can "upload" malicious content on the victim's behalf. More importantly, he extended it to HTML5 CORS where he can pull this off without having the attack script to be in the same domain as the victim. I thought this is pretty amazing!
Anyway, I have an idea that I am not sure if it'll work or not, or if it has been discussed/brought up already.
The idea is to do the same HTML5 CORS Javascript file upload without the HTML5 CORS capability. How so? Leveraging HTML Form POST request with HTTP Request Smuggling. So the idea is to create a HTML form with a text area, and inside the text area you craft an HTTP POST request including all the multipart/form-data item and content (including the crafted upload content). I am not sure if this will work, but seems feasible. The only downfall is that not HTTP authentication or custom header that the browser ususally provides will be included. Unless if it is possible to do a "302 redirect POST", but i doubt that is can happen...
