Paid Advertising is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
ignore previous invalid javascript
Posted by: Reiners
Date: January 25, 2010 10:16AM

Hi all,

currently I am pentesting a flash app and found the following potential XSS flaw in the action script code:

var loc0:* = "javascript:open_c('file.php?c=" + MovieClip(root).loaderInfo.parameters.c + "','cover_in');";
var loc1:* = new URLRequest(loc0);

Now as one can see, I can easily inject Javascript by loading the flash app like:


Unfortunetly, if I open the flash file directly without embedding it in the webpage of course the custom function open_c() is not declared and executing JS fails.
Now is there any way to execute Javascript although previous Javascript code failed executing?

Options: ReplyQuote

Sorry, only registered users may post in this forum.