search

cure53 / Flashbang

Project "Flashbang" - An open-source Flash-security helper
https://cure53.de/flashbang
Mozilla Public License 2.0
206 stars 55 forks source link

Invisible Flashvars #15

Open cure53 opened 9 years ago

cure53 commented 9 years ago

Heya,

strangely, in this file, Flashbang cannot see the Flashvars. It needs to be noted, that other decompilers and tools have similar issues.

http://s3.amazonaws.com/avlidienbrunn/wheres_the_xss.swf

Can we specify what is happening here?

Cheers, .mario

flabbergastedbd commented 9 years ago

The Shumway we use is giving this error. Seems like some error in parsing

Uncaught (in promise) TypeError: Cannot read property 'defaultValue' of undefined (Bindings.js:163)
Uncaught (in promise) TypeError: Cannot read property 'createAsSymbol' of undefined (Loader.js:293)

The latest shumway successfully plays this file successfully and I can see a JS call

!skipCallback?callback('undefined'):''

As the new shumway is able to play, I think it can detect the vars as well. The architecture of shumway has changed, so I will look back into the new version once I have enough time.