Flash-based XSS – ExternalInterface.call()
In this section, I'll explain decompiling and exploiting Flash files for XSS. We will cover one commonly found XSS vector in Flash files that is user-supplied input reaching the ExternalInterface.call()
function without proper filtering.
What is this ExternalInterface.call()
thing, you might wonder. Simply speaking, it's an ActionScript (which complies with Flash) function and acts as a bridge between the Flash file and the JavaScript interface of the browser. The syntax of this function is as follows:
ExternalInterface.call("any-javascript-func", "arg");
To execute eval(alert(1))
, you should use the following syntax:
ExternalInterface.call("eval", "alert(1)");
The equivalent JS generated would be as follows:
try { __flash__toXML(any-javascript-func, "arg"); } catch (e) { "<undefined/>"; }
As a real-life example, I'll take a case in which I discovered a Flash-based XSS in www.garage4hackers.com
, which in turn used an outdated version of the...