UXSS: Flash getURL Executes in Parent Context via HTML Object

A Flash movie loaded inside an HTML Object element (rather than directly embedded) could use getURL with a javascript: URL and have that script execute in the context of the parent page, not the Flash security zone. This effectively gave a cross-origin Flash file read access to the top-level document.

// Inside the .swf loaded via an HTML Object
getURL("javascript:alert(location + document.body.innerText);", "_self", "GET");

<!-- otherdomain.html loads the .swf via an <object> tag,
     which is itself loaded in an <iframe> from the attacker page -->
<object type="application/x-shockwave-flash" data="xss.swf"></object>

The security context confusion arose because the HTML Object element created an intermediate document layer. When Flash called getURL, IE evaluated the javascript: URL in the outer page’s context rather than the sandboxed object’s context. The fix involved ensuring the correct security zone was applied to scripting originating from nested plugin objects.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE Information Disclosure: Reading the Full Path from a File Input] :: [Staying Resident via a Destroyed HTML Object] >