28Ağu
Is it possible to get a flash src after a redirect or an element inside an embed/object/iframe tag (cross-domain)?
The URL example.com/auth will automatically redirect the user (HTTP 302) to example.com/signed_in.SWF?token=SENSITIVE.
Is it possible for an attacker to steal the token, using javascript or flash, in the following example? How?
<!DOCTYPE html>
<html>
<body>
<embed id="foo" src="https://example.com/auth"></embed>
<!-- Remember that example.com/auth will be automatically redirected to example.com/signed_in.SWF?token=SENSITIVE -->
<!-- The code to steal the token value must go here -->
</body>
</html>
Consider that:
- The above .html is hosted in cross-domain.com, just like any other file involved in the "solution" (.swf, .js, .html, .css, etc.);
- You do not have control over example.com;
- You do not have control over signed_in.SWF;
- You can change the <embed> tag to <object> or <iframe>;