Ebay - Advertisement

Sunday, March 13, 2011

ExternalInterface.call() in ActionScript - can expose Flash applications to XSS attacks

The ExternalInterface class is the External API, an application programming interface that enables straightforward communication between ActionScript and the Flash Player container– for example, an HTML page with JavaScript.
TheExternalInterface.call("functionNameInJavaScript",inputFromUser) function in ActionScript - allows making calls from ActionScript to JavaScript functions.
The first parameter is the name of the function in javascript, and the second one can be one or more parameters that this function receives.

Call to such method would be translated on the embedding page to a javascript code which would look as follows:

try {
    __flash__toXML(functionNameInJavaScript, "the value from inputFromUser"));
  } catch (e) {
    //Do something useful;

If the inputFromUser parameter's value is Hey"people, backslash escaping character will be added automatically and the value will become to be Hey\"people .
However, the function does not escape any stray backslash characters. So input like Hello world!\"+alert('XSS')); } catch(e) {} // can lead to Cross Site Scripting attacks.

This vulnerability was found by lcamtuf and was first posted on his blog.

No comments:

Post a Comment