A Flash advertisement, hosted on http://ad.com/ad.swf, displayed on http://yoursite.com, can get cookie and send it to ad.com.
Example setup: http://pastehtml.com/view/1dntfa4.html
A swf is hosted on dl.dropbox.com. And it gets document.cookie of pastehtml.com and sends it to dl.dropbox.com.
The swf is using ExternalInterface.call() to execute arbitrary javascript.
This technique is explained here:
http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html
Code:
So, you can execute arbitrary javascript by passing a string to ExternalInterface.call():
"\\")); YOUR SCRIPT HERE }catch(e){}//""
And, you can do cross domain xhr using swf (only to the domain where swf is hosted at).
No comments:
Post a Comment