wtorek, 3 lutego 2015

evercookie.swf - Stored Cross-Site Scripting

Today @samykamkar released new version of evercookie that fixes Stored Cross-Site Scripting issue that I reported. Here is how it works in details.

First of all - we should check vulnerable code: evercookie.as

So - the flash file takes flashVar parameter everdata and puts it to SharedObject (something like Local Storege but for Flash). If some data already was in SharedObject - it pass its value to javascript function called _evercookie_flash_var() without any checks. So the proof of concepts for this version looks simple:

http://vulnerable-hostname/evercookie.swf?everdata=f');alert('XSS');// 

After visiting this and then visiting page that embeds evercookie.swf - we'll see wonderful alert box ;-) and the best part - it's stored one.

Few weeks ago someone made pull request for fixing some issues (not security related) with QQBrowser and simply replaced getURL() function with ExternalIterface.call(). So - someone accidentally fixed old bug and created new one ;-) Here's the code: evercookie2.as

+ 2nd PoC:

http://vulnerable-hostname/evercookie.swf?everdata=f\\"))}catch(e){}alert(1);//

...and life goes on. :)

If you're using evercookie - please update to newest version. You can also check the video demonstration: https://www.youtube.com/watch?v=kWAiV6Bjm2s