Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos
"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"
com/HackWorld.swf" width="640" height="480">
Or, equivalently, this:
The JavaScript would execute in the domain of the vulnerable site. However, this is just a complicated XSS because an attacker probably could have directly injected JavaScript between script tags instead. We??™ll discuss more interesting attacks shortly. The inverse of MTASC is Flare. Flare decompiles SWFs back to reasonably readable ActionScript source code. Installing Flare from www.nowrap.de/flare.html and running it as follows, flare HackWorld.swf creates a HackWorld.flr file containing the following ActionScript: movie 'HackWorld.swf' { // flash 7, total frames: 1, frame rate: 20 fps, 640x480 px, compressed movieClip 20480 __Packages.HackWorld { #initclip if (!HackWorld) { _global.HackWorld = function () {}; var v1 = _global.HackWorld.prototype; _global.HackWorld.main = function (args) { var v3 = 'alert(1)'; getURL('javascript:' + v3, '_self'); }; Chapter 9: Attacking Flash Applications 229 ASSetPropFlags(v1, null, 1); } #endinitclip } frame 1 { HackWorld.