The script that it references evals the contents of the GET parameter zz allowing custom payloads to be inserted. It effectivly provides a reflected XSS endpoint for your target origin. e.g. http://example.org/images/test.png?zz=alert("this is xss :("); Related work There has been ...