Cross-Site Content (Data) Hijacking (XSCH) PoC Project
Posted by vulnspy at Apr 24, 2020

This project can be used to provide a proof of concept for:

  • Exploiting websites with insecure policy files (crossdomain.xml or clientaccesspolicy.xml) by reading their contents.
  • Exploiting insecure file upload functionalities which do not check the file contents properly or allow to upload SWF or PDF files without having Content-Disposition header during the download process. In this scenario, the created SWF, XAP, or PDF file should be uploaded with any extension such as .JPG to the target website. Then, the "Object File" value should be set to the URL of the uploaded file to read the target website's contents.
  • Exploiting CVE-2011-2461 (see the references for more details)
  • Exploiting websites with insecure HTML5 cross-origin resource sharing (CORS) headers

Note: .XAP files can be renamed to any other extension but they cannot be load cross-domain anymore. It seems Silverlight finds the file extension based on the provided URL and ignores it if it is not .XAP. This can still be exploited if a website allows users to use ";" or "/" after the actual file name to add a ".XAP" extension.


  • Exploiting an insecure policy file:
    1. Host the ContentHijacking directory with a web server.
    2. Browse to the index.html page (will be redirected to ContentHijackingLoader.html).
    3. Change the "Object File" field in the HTML page to a suitable object from the "objects" directory ("xfa-manual-ContentHijacking.pdf" cannot be used).
  • Exploiting an insecure file upload/download:
    1. Upload an object file from the "objects" directory to the victim server. These files can also be renamed with another extension when uploaded to another domain (for this purpose, first use Flash and then PDF as Silverlight XAP files will not normally work with another extension from another domain).
    2. The "Object File" field should be set to the location of the uploaded file.
  • Exploiting CVE-2011-2461
    1. The "Object File" field should be set to the vulnerable file.
    2. Select the "Flash CVE-2011-2461 Only" option from the drop-down list of the "Type" field.
  • Exploiting an insecure CORS policy:
    1. The "Object File" field can be set to the local "ContentHijacking.html" file. If you can upload a HTML file in your target domain, you can exploit XSS issues much more easier than using CORS.

GitHub Source


nccgroup/CrossSiteContentHijacking -
Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack)! -
Flash it baby! -


Comment as Admin

Click the button above to start the online environment
Copyright © 2021 VSPlate