English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CAPEC-182

Flash Injection
HIGH
MEDIUM
Draft
2014-06-23 00:00 +00:00
2022-09-29 00:00 +00:00
CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

Informations

Execution Flow

1) Explore

[Find Injection Entry Points] The attacker first takes an inventory of the entry points of the application.

Technique
  • Spider the website for all available URLs that reference a Flash application.
  • List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.

2) Experiment

[Determine the application's susceptibility to Flash injection] Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.

Technique
  • Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg
  • Test the page using controlled evil page/host, http://example.com/evil.swf
  • Test the page using Flash HTML injection, "'>
  • Test the page using DOM injection, (gotRoot(''))

3) Exploit

[Inject malicious content into target] Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase

Prerequisites

The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.

Skills Required

The attacker needs to have knowledge of Flash, especially how to insert content the executes commands.

Resources Required

None: No specialized resources are required to execute this type of attack. The attacker may need to be able to serve the injected Flash content.

Mitigations

Implementation: remove sensitive information such as user name and password in the SWF file.
Implementation: use validation on both client and server side.
Implementation: remove debug information.
Implementation: use SSL when loading external data
Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.

Related Weaknesses

CWE-ID Weakness Name
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-184 Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.
CWE-697 Incorrect Comparison
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

References

REF-46

Finding Vulnerabilities in Flash Applications
Stefano Di Paola.

REF-47

A Lazy Pen Tester's Guide to Testing Flash Applications
Rudra K. Sinha Roy.
http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/

REF-48

Creating More Secure SWF Web Application
Peleus Uhley.
http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2017-05-01 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Resources_Required
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Attacker_Skills_or_Knowledge_Required
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Consequences
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Example_Instances

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.