File:20150218-Abusing JSONP with Rosetta Flash-miki.it.pdf

Michele will present an exploitation technique that involves crafting charset-restricted Flash SWF files in order to abuse JSONP endpoints and allow Cross Site Request Forgery attacks against domains hosting JSONP endpoints, bypassing the Same Origin Policy.

With this attack it is possible to make a victim perform arbitrary requests to the domain with the JSONP endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site.

High profile Google domains, YouTube, Twitter, LinkedIn, Yahoo!, eBay, Mail.ru, Flickr, Baidu, Instagram, Tumblr and Olark have had or still have vulnerable JSONP endpoints at the time of writing. Popular web development framework Ruby on Rails and MediaWiki also addressed this vulnerability.

Rosetta Flash leverages zlib, Huffman encoding and ADLER32 checksum bruteforcing to convert any SWF file to an equivalent one composed of only alphanumeric characters, so that it can be passed as a JSONP callback and then reflected by the endpoint, effectively hosting the Flash file on the vulnerable domain. We use ad-hoc Huffman encoders in order to map non-allowed bytes to allowed ones. Naturally, since we are mapping a wider charset to a more restrictive one, this is not a real compression, but an inflation: we are, in a way, using Huffman as a Rosetta stone.

Rosetta Flash has been nominated for a Pwnie Award and won an Internet Bug Bounty by HackerOne.

More information can be found in Michele's blog post: https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/