Description

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

Attack Execution Flow

3

1

Step 1

Explore

[Find Injection Entry Points] The attacker first takes an inventory of the entry points of the application.
Spider the website for all available URLs that reference a Flash application.
List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.

Attack Techniques

Spider the website for all available URLs that reference a Flash application.
List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.
IT: Scansiona il sito web per tutti gli URL disponibili che fanno riferimento a un'applicazione Flash.

2

Step 2

Experiment

[Determine the application's susceptibility to Flash injection] Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.
Test the page using direct load asfunction, getURL,javascript:gotRoot('')///d.jpg
Test the page using controlled evil page/host, http://example.com/evil.swf
Test the page using Flash HTML injection, ''><img src='asfunction:getURL,javascript:gotRoot('')//.jpg' >
Test the page using DOM injection, (gotRoot(''))

Attack Techniques

Test the page using DOM injection, (gotRoot(''))
Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg
IT: Testa la pagina utilizzando DOM injection, (gotRoot(''))
Test the page using controlled evil page/host, http://example.com/evil.swf
IT: Testa la pagina utilizzando DOM injection, (gotRoot(''))
Test the page using Flash HTML injection, "'><img src='asfunction:getURL,javascript:gotRoot("")//.jpg' >
IT: Testa la pagina utilizzando DOM injection, (gotRoot(''))

3

Step 3

Exploit

[Inject malicious content into target] Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase

Mitigations

5

Consequences

Security Scopes Affected

Access Control Accountability Authentication Authorization Confidentiality Integrity Non-Repudiation

Potential Impacts

Bypass Protection Mechanism Execute Unauthorized Commands Gain Privileges Modify Data Other Read Data

Relationships

Resources Required

1

CAPEC 182 Flash Injection

Description

Attack Execution Flow

Step 1

Attack Techniques

Step 2

Attack Techniques

Step 3

Mitigations

Implementation: Use Validation On Both Client And Server Side.

Implementation: Remove Debug Information.

Implementation: Remove Sensitive Information Such As User Name And Password In The Swf File.

Implementation: Use Ssl When Loading External Data

Implementation: Use Crossdomain.Xml File To Allow The Application Domain To Load Stuff Or The Swf File Called By Other Domain.

Consequences

Security Scopes Affected

Potential Impacts

Relationships

Parent CAPECs

Child CAPECs

Resources Required

CAPEC 182 Flash Injection

Description

Attack Execution Flow

Step 1

Attack Techniques

Step 2

Attack Techniques

Step 3

Mitigations

Implementation: Use Validation On Both Client And Server Side.

Implementation: Remove Debug Information.

Implementation: Remove Sensitive Information Such As User Name And Password In The Swf File.

Implementation: Use Ssl When Loading External Data

Implementation: Use Crossdomain.Xml File To Allow The Application Domain To Load Stuff Or The Swf File Called By Other Domain.

Consequences

Security Scopes Affected

Potential Impacts

Relationships

Parent CAPECs

Child CAPECs

Resources Required

Iscriviti alla newsletter