no, my comment about "folder level authentication’ is relevant, it’s actually the core of the attack. you don’t understand.
let me help.
HTTPNTLM and Basic Auth are both folder level authentication methods.
the attack occurs when a bad guy is afforded the opportunity to load an external (untrusted) resource into a page like - upload a avitar from your computer or from a url
they will put in a url that they have control over, so www.badguy.com/protectedfolder/pic.jpg
pig.jpg doesnt have to exist, but it will satisfy the web applications requirements for the input to begin with http/https and end with .jpg (or approved extensions)
I can only assume you have never used HTTPNTLM or Basic Auth
the client will respond to HTTPNTLM in different ways depending on the browser but Basic Authentication in the same way every time time,
HTTPNTLM for example; if the active directory permits sending HTTPNTLM it will, higher than IE6 you will have to enable it but some poorly configured AD policies will stumble on this, if the policy doesn’t automatically send a response to the challenge it will prompt the user for a username and password. Basic authentication will always give you the same prompt RELM information (space for convincing the user to submit credentials) and a username and password prompt
If you want to play with this I recommend metasploit or Responder by spider-labs - great for learning.
If the sever downloads the images locally that’s fine, but i’ve tested this on a Discourse forum elsewhere and successfully injected authentication prompt to the folder - hence be bringing it here.
if you would like to test from one of my boxes I have set up a responder here
http://killteam.co/derp.jpg (or any other file / extension you like - because it’s folder level.