Polyglots allow multiple interpretation of formats, providing a new space of attack vectors based on “syntax injection” or “content smuggling”. Particularly dangerous formats are identified, with PDF as the prime example. A demonstration shows how polyglot attacks open up for insecure cross-origin communication.
In an evaluation of the top 100 Alexa web sites, five web sites were found to be vulnerable to polyglot attacks based on syntax injection. Further, two major enterprise cloud storage services were found to be susceptible to polyglot attacks content smuggling. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate polyglot attacks.”