Saturday, 27 October 2012

XSS using a Flash SWF + Google XSS

Recently I've been brushing up on my XSS. One interesting example I came across used Flash SWF files to perform XSS:

This type of attack has been around for years, I'd never played with it myself so decided to look into it further. First up, what is an SWF? From Wikipedia:

SWF is an Adobe Flash file format used for multimedia, vector graphics and ActionScript. SWF files can contain animations or applets of varying degrees of interactivity and function.

If these files can contain ActionScript, then that means there's going to be input/output and potential vulnerabilities! And for media/graphics teams and companies whose focus is producing content security is really not going to be a priority. Good news for us but bad news for anyone hosting SWFs.

For an introduction to exploiting SWFs check out the OWASP site:

The cool thing with these files is they can be decompiled with relative ease allowing you to perform static analysis. By locating the input variables and the functions that use these variables you can sometimes spot potential vulnerabilities.

So first up you need a decompiler, I found ASdec to be quick and effective, SWFScan is also a good choice especially because it has a built in vulnerability scanner which can speed things up.



Next find yourself an SWF. The easiest way is to Google "filetype:swf", open any link and in Chrome go to Options -> Save Page As. Now you can open the SWF in ASdec, SWFscan, or both, I found ASdec easier to follow, but as already mentioned the vulnerability scanning feature of SWFscan is pretty handy. So to start off I'd run a quick scan in SWFscan (the Analyze button). If you get lucky you might find a potential XSS/CSRF. Take a look at the "Source" tab, this should have the vulnerable code highlighted.

There are two things you should try to look for, the first is input variables or undeclared global variables, these are denoted by _global, _root or _level0. These are variables we may be able to control and potentially use to exploit the SWF. The second thing to look for are interesting functions that use these variables. The OWASP site has a good list of functions to look out for:

XML.load ( 'url' )
LoadVars.load ( 'url' ) 
Sound.loadSound( 'url' , isStreaming ); 'url' );

Next you'll need to verify how the variable is being used and if it's actually possible to take control of the function. Sometimes you won't be able to control the input value or there may be filtering in place. This is where static code analysis comes in. As each SWF is different there is no fixed method for this but I'll cover some examples below.

Example 1 - XML function with filtering (see code below)

In this first example you can see how the program accepts an XML path as input and performs some checking to prevent us from using a remote resource (such as our own malicious xml file!). The legitimate URL was something like We want to change it to, however in this example it's not possible due to input validation.

The first thing to take note of is the call to our input data (path=_root.xmlPath) and it's subsequent use by the XML object (myXML.load(path)). At first glance this looks quite promising. However you'll notice that before myXML.load is performed our path variable is checked using the isDomainEnabled function...

The isDomainEnabled function first checks for the existence of www or http:// (indexOf returns -1 if something doesn't exist). Then checks if our domain is included in the domain list. I've blacked it out to protect the companies identity but the black spots are just, etc. So if we try to call our remote domain we end up stuck in the while loop uh oh!

So how can we get around this filter? Encoding is an obvious choice or how about using just https:// instead of http:// ? :)

Example 2 - Regex filtering

Another example I encountered took in a parameter called swf_id which was later used in an ExternalInterface call. Unfortunately it was not possible to take advantage of because of regex filtering. First the parameter was loaded. For example if our URL is the swf_id parameter was assigned using root.loaderInfo.parameters.swf_id, in this case if nothing is supplied it was left blank. In this example a RegExp object was used to look for any non-alphanumeric character, if one is found it throws an error. This prevents us from including a URL or Javascript in the swf_id parameter :(  

Example 3 - ExternalInterface Call

There's a good example of how unfiltered inputs can be abused using at the below link:

This example is exploitable because of non-existent input validation of parameters sent to this function:, this.elementID, event);

Does anyone actually use vulnerable SWFs?

After doing all this analysis I thought I'd take a look at a few sites to see if they were hosting any vulnerable SWFs as this could lead to XSS/CSRF.

Google was hosting hardly any SWFs so I checked each one in turn. When running one file in particular it had a user interface that listed AutoDemo as it's creator. Googling AutoDemo and XSS I discovered that there was a file called control.swf that is used by AutoDemo files and its vulnerable to XSS. It hadn't shown up in the original search results but it was there and it was exploitable :)

There is one caveat to this story though. The file was not hosted on one of the core Google domains, it's actually hosted on the sand-boxed cache, "googleusercontent". So sadly it wasn't possible to steal any data using XSS. However it would be possible to use this for phishing and as it is based in the Google family it should still be effective at enticing users to click it.

This was the first file I found:

Here's the proof of concept XSS involving the control file."L0LZ G00GLE H4Z XSS!")//

I contacted Google about this issue, they said they didn't regard this as a serious security risk as user data cannot be compromised and the risk of phishing is minimal. For example, there's nothing stopping someone from registering a domain called that would be far more effective for phishing. So should all vulnerabilities found in the Google cache be classified as low risk?

It's an interesting question, does the Google cache offer a unique attack vector? Maybe I'll save this for another blog post ;) If anyone has any ideas or comments feel free to leave a message below.



  1. Hi i am trying to exploit one flash based xss but unable to do so. Can you please help

  2. Can you provide some code or a link?


  3. is best antivirus available in the market. If you want to protect your system online or locally from any unforeseen events Norton is is a must have software in your PC or Mac. Activate your to protect yourself ad your data from your system from malware and antivirus. Browse internet without any hesitation norton will take care of all malicious antiviruses floating all over internet.


  4. For any concern and help just visit website for help and key activation of setup You can do it by yourself if you know how to install on your PC or Mac or you can call third party companies as well who can do it on your behalf.

  5. Since the world is developing each day with new computerized advances, digital dangers, malware, information, and harming diseases have additionally turned out to be increasingly more progressed with every day. These digital contaminations harm a gadget or documents in different

  6. Call forwarding is a convenient option which helps you to call forwarding to any other number. It is not compulsory to forward all the calls. Rather than, you can forward calls while you are on the call.
    When the server faces any error because of some reason, then you need to fix it before there is any impact on the system. Nowadays, all the things are done online. If you want to know the step to use SAM to monitor your server and applications, then follow the steps mentioned in this link.

  7. The Norton licence key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is a numeric-letters in order code accompany Norton’s membership. Go to the rear of membership card and locate your 25 digits code. Utilization of Norton item key at to confirm your membership.

  8. I really happy found this website eventually. Really informative and inoperative, Thanks for the post and effort! Please keep sharing more such blog.

    roadrunner email login

  9. Locate customer service phone numbers, support web sites, steps for reaching actual people. Rate, business directory comment on and even upload your own calls and experiences.

  10. In short, the two companies are not related. GetHuman builds free tools and shares information amongst customers of companies like Geek Squad. Both plans include 24/7 phone support, 24/7 online support, adding network devices, firewall support, VPN support, setup of computers and servers, software or OS installation, computer tune-ups, diagnostics and repair, and data backups and transfer.We've created these shortcuts and apps to try to help customers like you (and ourselves!) navigate the messy phone menus, hold times, and confusion with customer service, especially with larger companies. And as long as you keep sharing it with your friends and loved ones, we'll keep doing it.

    For more information visit site :- Geek Squad chat

    Geek Squad Appointment

  11. thank you for sharing this information with us I am glad to be here and read this information is really very helpful for me

    Skytorrent proxy List
    Worldwidetorrent proxies list
    Kickasstorrent proxiest list
    torrenthoud proxies list

  12. Factory default reset removes any saved configurations and profiles in your apple router. Resetting apple router is easy process. You need to disconnect the base station from power. While holding down the reset button, connect the base station to power and continue to hold the reset button. Wait about a minute and release it.

  13. A new purchased Canon printer needs to be set up. First, ensure you’ve installed the latest drivers and software from a valid siteThe wireless and wired models require drivers and software; therefore, each has to undergo one important installation process.
    https //ij.start.cannon,
    http //
    is a Japanese multinational corporation headquartered in Ōta, Tokyo, Japan, specializing in optical, imaging, and industrial products, such as lenses, cameras, medical equipment, scanners, printers, and semiconductor manufacturing equipment.

  14. The setup process for every Canon model is almost similar, however the download through https //ij.start.cannon or http //ij.start.cannon and installation process may differ.

  15. Visit canon’s official site – and download appropriate software and drivers one windows PC. Or if you have a CD, install it. ij.start canon is the manufacturer's site to download Canon printer drivers.

  16. Hi....
    The‌ ‌flaws‌ ‌render‌ ‌websites‌ ‌that‌ ‌host‌ ‌these‌ ‌generated‌ ‌SWF‌ ‌files‌ ‌vulnerable‌ ‌to‌ ‌Cross-Site‌ ‌Scripting‌ ‌(XSS).‌ ‌
    You are also read more Business Loan Interest Rate

  17. 스포츠토토
    Thank you for providing a good quality article

  18. Your writing is perfect and complete. safetoto However, I think it will be more wonderful if your post includes additional topics that I am thinking of. I have a lot of posts on my site similar to your topic. Would you like to visit once?