Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS with flash embed
Posted by: lolwut
Date: May 31, 2011 10:07PM

I found an xss on a website by accident, but ran into a couple of problems. For some reason the xss only gets triggered on chrome/chromium, while firefox/ie/opera somehow aren't effected.

The xss is from an flash embed in the website, where the src= is set to javascript: causing it to execute the js.

Here is what it looks like when chrome/chromium renders it:

<embed type="application/x-shockwave-flash" src="javascript:alert(document.cookie)" width="200" height="50" style="" bgcolor="#FFFFFF" quality="high" scale="scale" allowfullscreen="true" allowscriptaccess="never" salign="tl" wmode="opaque" flashvars="width=200&amp;height=50">


and here is what it looks like when firefox 4 renders it:


<embed height="50" width="200" flashvars="width=200&height=50" wmode="opaque" salign="tl" allowscriptaccess="never" allowfullscreen="true" scale="scale" quality="high" bgcolor="#FFFFFF" style="" src="javascript:alert(document.cookie)" type="application/x-shockwave-flash">


It looks almost identical, the only difference is the order of things.


I was wondering if anyone knew how to get this to work on cross browsers?

Also on a side note, is there anything I could do with a flash file? like embed my own swf file to trigger some kind of xss? It says "allowscriptaccess=never" but just wondering?

Thanks

Options: ReplyQuote
Re: XSS with flash embed
Posted by: Albino
Date: June 01, 2011 07:39AM

If the allowscriptaccess=never tag wasn't there you could embed a swf with XSS in but it would only execute on oldish versions of Flash. Since about Flash 10, the default allowscriptaccess value changed so you need allowscriptaccess=always to exploit via flash.

Options: ReplyQuote
Re: XSS with flash embed
Posted by: Anonymous User
Date: June 01, 2011 04:03PM

Can you inject before the attribute?

Thinking:
<embed allowscriptaccess="always" allowscriptaccess="never">

Options: ReplyQuote


Sorry, only registered users may post in this forum.