Flash-based XSS – ExternalInterface.call()
In this section, I'll explain decompiling and exploiting Flash files for XSS. We will cover one commonly found XSS vector in Flash files that is user-supplied input reaching the ExternalInterface.call() function without proper filtering.
What is this ExternalInterface.call() thing, you might wonder. Simply speaking, it's an ActionScript (which complies with Flash) function and acts as a bridge between the Flash file and the JavaScript interface of the browser. The syntax of this function is as follows:
ExternalInterface.call("any-javascript-func", "arg");To execute eval(alert(1)), you should use the following syntax:
ExternalInterface.call("eval", "alert(1)");The equivalent JS generated would be as follows:
try { __flash__toXML(any-javascript-func, "arg"); } catch (e) { "<undefined/>"; }As a real-life example, I'll take a case in which I discovered a Flash...
