Is it possible to get a flash src after a redirect or an element inside an embed/object/iframe tag (cross-domain)?

Çağlar Arlı - 10 Views

Is it possible to get a flash src after a redirect or an element inside an embed/object/iframe tag (cross-domain)?

The URL example.com/auth will automatically redirect the user (HTTP 302) to example.com/signed_in.SWF?token=SENSITIVE.

Is it possible for an attacker to steal the token, using javascript or flash, in the following example? How?

<!DOCTYPE html>
<html>
    <body>
         <embed id="foo" src="https://example.com/auth"></embed>
         <!-- Remember that example.com/auth will be automatically redirected to example.com/signed_in.SWF?token=SENSITIVE -->

         <!-- The code to steal the token value must go here -->

    </body>
</html>

Consider that:

The above .html is hosted in cross-domain.com, just like any other file involved in the "solution" (.swf, .js, .html, .css, etc.);
You do not have control over example.com;
You do not have control over signed_in.SWF;
You can change the <embed> tag to <object> or <iframe>;

P	S	Ç	P	C	C	P
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

Annanowa

Is it possible to get a flash src after a redirect or an element inside an embed/object/iframe tag (cross-domain)?

Is it possible to get a flash src after a redirect or an element inside an embed/object/iframe tag (cross-domain)?

Son Yazılar

Son Yorumlar