Swf XSS (Dom Based Xss)

Hey Folks,

I was working in UBNT for bounty and i found several xss there so i’m sharing one of the cool xss.

In the above code the FlashVar parameter “bridgeName” is passed to the ExternalInterface.call method without filtering. It is possible to pass JavaScript code via the bridgeName parameter that will be executed when the vulnerable function is called (when the page loads).

Proof of Concept :

As proof of concept the following URL will inject the JavaScript code “alert(1)” to illustrate the flaw:

https://store.ubnt.com/skin/adminhtml/default/default/media/editor.swf?bridgeName=1\%22]%29%29;alert%281%29}catch%28e%29{alert%281%29}//

store.ubnt.com xss

Some other path:

Bug is fixed now.

Best Regard
Shubham

 

shubhamgupta

 

2 thoughts on “Swf XSS (Dom Based Xss)

Leave a Reply

Your email address will not be published. Required fields are marked *