Yep. Buffer overruns are the biggest issue with web stuff. Shove more of something than is expected at just the right time and a badly coded something will barf or let it over write some code. And if that code can later be forced to execute then you have a way to stuff your own code into the system and have it execute. I saw a writeup about one of the biggies that his MS servers a few years back and the actual inserted code was maybe 20 or 40 characters. So it doesn't take much. And it doesn't have to be "code" that your browser thinks it is being fed. Text, graphics, code, etc ... are just lables. It's all bits.