Monday, August 3, 2015

One payload to XSS them all !

Hi ,

Today I want to share my find in 2013 which is XSS in flash file was used in many websites (famous websites !).
the flash file was called sIFR (Scalable_Inman_Flash_Replacement)

Q: How I found it ?

A: Till today I was thinking that I am the first one who reported this issue in fact it is an old bug
That have CVE (Read more)

So let's talk about what I found , I was looking for bug in Adobe my exploire get me to

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE PHOTOSHOP CS3&textcolor=

 The (txt) was get simple text
 The (textcolor) was get a HTML color code 


the page Show XSS  and when I make the payload 

Immm good the txt parameter show our text let's do HTML things .

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>

It is work !!! and I found XSS on Adobe . But I notice something in URL

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE PHOTOSHOP CS3&textcolor=
 It is look like path of file in (www.adobe.com) ,so I deleted the (wwwimages.adobe.com/) from URL 

and go to :

https://www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>

Xss show in the page I click on it and booom !

Please bear with me that I inject my name in code it was my start at bug bounty hhhhh :) .

So it was very good

Now I was think that (sIFR2.0.2) is Adobe product that I can found in other website

I make Dork to find others

there were too many website wait the surprise it was big one

Visa,AMEX,Blackberry,Stanford,Haravrd,and many Gov sites

Here is a samples :

The PoC video : 

There are many others websites vulnerable .

Thanks for read .

Useful links :