com/SomeAdBanner.swf?clickTAG=javascript:alert(1)
If you are developing Flash advertisements, ensure that clickTAG begins with http:
before executing getURL(clickTAG) like so:
if (clickTAG.substr(0,5) == "http:") {
getURL(clickTAG);
}
232 Hacking Exposed Web 2.0
XSS via HTML TextField.htmlText and TextArea.htmlText
Popularity: 2
Simplicity: 5
Impact: 8
Risk Rating: 8
Now consider userinput2 in the VulnerableMovie code. By default, TextFields
only accept plain text, but by setting html = true, developers can place HTML in
TextFields. Developers can always place HTML text in TextAreas. It is common practice
for developers to use Flash??™s limited HTML functionality. If the part of the text for the
TextField originates from user input, as with the preceding example, an attacker can
inject both HTML and arbitrary ActionScript. Injecting HTML is quite simple. For
example, this code
http://example.com/VulnerableMovie.swf?userinput2= %3Ca+href%3D%22javasc
ript%3Aalert%281%29%22%3Eclick+here+to+be+hacked%3C/a%3E
adds this HTML:
click here to be hackedIf the user clicks the ???click here to be hacked??? link, the attacker can run malicious
JavaScript on the domain hosting the SWF.
Pages:
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405