Today I want to share with you one of my findings in 2013, which is an XSS in a flash file that was used by many famous websites, the flash file was called sIFR (Scalable_Inman_Flash_Replacement).

Q: How I found it ?

T But, how did I find it? Till today I thought that I was the first one to report this issue, in fact it is an old bug That have CVE (read more). So let’s talk about what I found, as I was looking for a bug in Adobe, my browser got me to:

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE PHOTOSHOP CS3&textcolor=

 The (txt) was a simple text.
The (textcolor) was get a HTML color code.
I change (ADOBE PHOTOSHOP CS3) to XSS .

The page showed XSS  when I made the payload, I got the txt parameter to show our text, so let me explain what I did regarding the HTML. 

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>

It worked! and I found XSS on Adobe. But I noticed something in the URL:

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE PHOTOSHOP CS3&textcolor=

It looks like a path of a file in “www.adobe.com”, so I deleted the “wwwimages.adobe.com/” from the URL. and went to:

https://www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>   <br>

xss

I injected my name in the code, and it was my beginning with bug bounty, a very good one actually.
I thought that (sIFR2.0.2) is an Adobe product that can be found in other website, and I started looking everywhere for it in other websites, and I found it to be used by major and governmental companies, including Visa ,AMEX, Blackberry, Stanford, Harvard, …etc.

Here is a samples :

xss

xss

xss

xss

The PoC video :


There are still many others vulnerable websites to find this in. 

Thank you for reading.