Upload your own XSS

A few meetings ago i gave a demo on uploading a flash file to file hosting sites that contains a evil XSS payload. Here is my write up on it.

A while back I was doing a penetration test on a friends file hosting service application. His service allowed the uploading of flash files and when you viewed the files detail page it showed you a preview of the flash movie. At the time I knew you could use actionscript to put javascript in a flash file but I was not sure if it would have full access to the DOM and allow us to do evil stuff.

I started messing around in actionscript and came up with this:

After compiling it and uploading, when viewing the preview page I was greeted with a prompt box that had the contents of my cookie for that domain and it was displayed in text with in the flash embed! So, just like that we are able to manufacture a XSS vulnerability on a application that is otherwise secure.

There is some protection for this attack. When you embed a flash file in a web page that you don’t trust you should add the allowScriptAccess param and set it to none. However this can be bypassed easily, just go to the swf file itself and it will still execute the javascript supplied by our swf file. This means to be fully protected you will also need to use a modrewrite rule to force a download when ever someone tries to view a swf file directly.

Here is one example – http://www.ziddu.com/viewfile/22413513/xss.swf.html

Here is another – http://swfchan.org/2335/xss.swf

May meeting recap

The May meeting was another great one. Both Ngharo and my self were late because of traffic and junk so darkwind got things started with his popular demo of sniffing pager messages from the air. I Showed up at the tail end and when he was done I started the introductions. It was good to see all the new faces. After everyone talked for about 15 minutes I gave a live demo on using actionscript “flash” to inject a XSS exploit into a other wise secure website. Then Noize took over and gave a interesting live demo of getting IP addresses from contacts on Skype. Then dw5304 showed some of the features in the untangled firewall software. Congrats to ALee for winning the dc414 free junk giveaway!! Here are some pictures I took of the meeting.

ALee and his winnings!

March meeting madness!

March’s meeting was filled with all sorts of shenanigans. dw5304 started things off with a little demo of Windows Server 8 and some of its improved features and functions.

Ngharo kept the OS ball rolling by going over some Linux 101 and while he was showing us how grep can be used to find wanted data in Apache logs Castor pulled a little prank on Ngharo and left a message in the logs for him 😛 Every one got a big laugh out of it. Ngharo also has promised to give a new Linux demo every meeting!

Then I stepped in and gave a demo on how to use temp XSS attacks to gain access to user accounts on web sites, the target in this case was Daily Motion using a known vector. It was complete with a explanation of the attack string, the payload, how to use it, and how to fix it. I gave the room the opportunity to hack my Daily Motion account, using the cookie stolen during my demo which turned out to be a bad idea, Ngharo thought it was cute to replace my profile picture with the index picture from lemonparty2 😐 Yeah, ok I loled hard at that one 🙂

Then The Professor showed us how to use “The Social Engineering Tool Kit” to phish n00bs and pwn their passwords! He gave us a step by step of how to copy a website, how to access the phish page, and what happens when its used. Then we all talked about how to know when your being phished. It was a great first demo from The Professor.

A big congrats to The Professor for winning the dc414 Free Junk Giveaway “pic below”, Enjoy your new Launchpad 🙂 Here are some other pictures from the awesome Cmoney.

The big winner:

SIDE NOTE:
The next morning with a slight hangover I open my email and find this from Daily Motion:
Hello anarchyang31,

The avatar of your Dailymotion account “anarchyang31” has been deleted due to non respect of the General Terms Of Use (inappropriate content).
In any event, we ask that you observe those conditions. You can review them by clicking here: http://www.dailymotion.com/legal/terms

After 5 deleted avatars, you will no longer be able to change it and it will be replaced with a default avatar.

You can upload a new avatar by clicking here: http://www.dailymotion.com/profile/avatar

Best regards,


The Dailymotion Team

LMAO thanx Ngharo. Ok thats it, later.