I was wondering when someone would find this.  I’ve actually known about this for a while, but never had the time to test it myself, but in the last few days several people have pointed out what has been pretty obvious for a while.  Via external embedded flash objects users are vulnerable to XSS via Freecodesource and ClickTag.

The one regarding Freecodesource is probably the more interesting read because he accurately points out that the actual exposure is relatively low.  Does that mean that it’s safe?  No, definitely not.  There are a number of potential issues with this, not the least of which is CSRF.  Like it or not flash movies are a thing we’ll have to get used to despite “threecheeseopera’s” distain, but maybe dynamically created Flash needs a re-think for serving rich media.  I can’t wait to see Microsoft’s implementation of their vector based graphics utility.  Any guesses what that’ll look like?  I wonder.

Meanwhile, Luny sent me a vulnerability in AsianXO (an Asian version of Myspace).  These are coming fast and furious both because of the nature of social networking and because the virulant nature of these types of attacks could mean big trouble as Samy showed us.  Here are the screenshots Luny sent me:

1. Injecting XSS exploit on AsianXO
   
2. Viewing exploit on AsianXO

Thanks Luny!

/RSnake

This entry was posted on Saturday, June 10th, 2006 at 8:11 pm and is filed under XSS, Webappsec. You can leave a response as well.