I found an xss on a website by accident, but ran into a couple of problems. For some reason the xss only gets triggered on chrome/chromium, while firefox/ie/opera somehow aren't effected.

The xss is from an flash embed in the website, where the src= is set to javascript: causing it to execute the js.

Here is what it looks like when chrome/chromium renders it:

<embed type="application/x-shockwave-flash" src="javascript:alert(document.cookie)" width="200" height="50" style="" bgcolor="#FFFFFF" quality="high" scale="scale" allowfullscreen="true" allowscriptaccess="never" salign="tl" wmode="opaque" flashvars="width=200&amp;height=50">


and here is what it looks like when firefox 4 renders it:


<embed height="50" width="200" flashvars="width=200&height=50" wmode="opaque" salign="tl" allowscriptaccess="never" allowfullscreen="true" scale="scale" quality="high" bgcolor="#FFFFFF" style="" src="javascript:alert(document.cookie)" type="application/x-shockwave-flash">


It looks almost identical, the only difference is the order of things.


I was wondering if anyone knew how to get this to work on cross browsers?

Also on a side note, is there anything I could do with a flash file? like embed my own swf file to trigger some kind of xss? It says "allowscriptaccess=never" but just wondering?

Thanks

If the allowscriptaccess=never tag wasn't there you could embed a swf with XSS in but it would only execute on oldish versions of Flash. Since about Flash 10, the default allowscriptaccess value changed so you need allowscriptaccess=always to exploit via flash.

Can you inject before the attribute?

Thinking:

<embed allowscriptaccess="always" allowscriptaccess="never">