Here I present a (reported) Flash-based XSS vulnerability I discovered in wordstat.yandex.com, which requires no user interaction.
By disassembling the SWF, we discover that the data_file and settings_file parameters are user controllable and injectable directly in the URL.
The parameters are then retrieved and the XML is parsed:
Quick link to a proof of concept:
We control the "map" by providing two XML files, hosted on an external server.
File ammap_settings.xml just sets a white background, disables control such as zoom and arrows, legend, small map, etc.
File ammap_data.xml is the interesting one. Here is the malicious payload:
As you can see, an external SWF is loaded as a map, and an area (called a movie) of rectangular shape (file="rectangle") that covers the whole screen and is transparent (alpha="0").
In order to make it work without user interaction, we have added an object id (oid) to the movie with the oid="xss" tag, and simulated a click of the movie with the url="#xss" attribute of the <map> tag, as documented in AmCharts documentation:
|url||#object_id||Id of object which should be "clicked" when map initializes|
This leads to arbitrary JS execution in the context of wordstat.yandex.com without any user interaction: