ignore previous invalid javascript

sla.ckers.org is
ha.ckers sla.cking

Q and A for any cross site scripting information. Feel free to ask away.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

ignore previous invalid javascript

Posted by: Reiners

Date: January 25, 2010 10:16AM

Hi all,

currently I am pentesting a flash app and found the following potential XSS flaw in the action script code:

var loc0:* = "javascript:open_c('file.php?c=" + MovieClip(root).loaderInfo.parameters.c + "','cover_in');";
var loc1:* = new URLRequest(loc0);

Now as one can see, I can easily inject Javascript by loading the flash app like:

test.swf?c=');alert(1);//
or
test.swf?c='+alert(1)+'

Unfortunetly, if I open the flash file directly without embedding it in the webpage of course the custom function open_c() is not declared and executing JS fails.
Now is there any way to execute Javascript although previous Javascript code failed executing?

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login