com/VulnerableMovie.swf">
User input is accessed from many objects within the Flash application, such as the _root,
_level0, and other objects. Assume all undefined variables are definable with URL
parameters.
This Flash application displays a hello message to userinput1. If userinput2 is
provided, the user is sent to a URL specified in userinput2. If _root.userinput3 is
provided, then the Flash application loads another Flash application.
An attacker can use all of these user-definable inputs to perform XSS.
XSS Based on getURL()
Popularity: 4
Simplicity: 7
Impact: 8
Risk Rating: 8
First, consider userinput1. This variable is initialized by its presence in the Flash
input variables, but uninitialized by the Flash application. Contrary to its name, userinput1
Chapter 9: Attacking Flash Applications 231
may have not even been intended to be user input; in this case, userinput1 is just an
uninitialized variable. If it is initialized via a URL parameter, as in the following URL,
http://example.com/VulnerableMovie.swf?userinput1=javascript%3Aalert%281%29
then the getURL() function tells the browser to load the javascript:alert(1) URL
that executes JavaScript on the domain where the Flash application is hosted.
Pages:
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403