Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
ignore previous invalid javascript
Posted by: Reiners
Date: January 25, 2010 10:16AM

Hi all,

currently I am pentesting a flash app and found the following potential XSS flaw in the action script code:

var loc0:* = "javascript:open_c('file.php?c=" + MovieClip(root).loaderInfo.parameters.c + "','cover_in');";
var loc1:* = new URLRequest(loc0);

Now as one can see, I can easily inject Javascript by loading the flash app like:

test.swf?c=');alert(1);//
or
test.swf?c='+alert(1)+'

Unfortunetly, if I open the flash file directly without embedding it in the webpage of course the custom function open_c() is not declared and executing JS fails.
Now is there any way to execute Javascript although previous Javascript code failed executing?

Options: ReplyQuote


Sorry, only registered users may post in this forum.