Home > CAPEC List > CAPEC-174: Flash Parameter Injection (Version 2.9)  

CAPEC-174: Flash Parameter Injection

 
Flash Parameter Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 174
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker injects values to global parameters into a Flash movie embedded in an HTML document. These injected parameters are controlled through arguments in the URL used to access the embedding HTML document. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. The injected parameters can allow the attacker to control other objects within the Flash movie as well as full control over the parent document's DOM model.

+ Attack Execution Flow
Explore
  1. Spider:

    Using a browser or an automated tool, an attacker records all instances of HTML documents that have embedded Flash movies. If there is an embedded Flash movie, he lists how to pass global parameters to the Flash movie from the embedding object.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use an automated tool to record all instances of URLs which have embedded Flash movies and list the parameters passing to the Flash movie.

    env-Web
    2

    Use a browser to manually explore the website to see whether the HTML document has embedded Flash movies or not and list the parameters passing to the Flash movie.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The HTML document has embedded Flash movies.

    env-Web
    2Inconclusive

    The HTML file doesn't appear to contain Flash movies, but Ajax request seems possible and could insert Flash movies.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of URLs which has embedded Flash movies and the list of parameters passing to the Flash movies.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Experiment
  1. Determine the application susceptibility to Flash parameter injection:

    Determine the application susceptibility to Flash parameter injection. For each URL identified in the Explore phase, the attack attempts to use various techniques such as DOM based, reflected, flashvars, persistent attacks depending on the type of parameter passed to the embedded Flash movie.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    When the JavaScript 'document.location' variable is used as part of parameter, inject '#' and payload into the parameter in the URL.

    env-Web
    2

    When the name of the Flash movie is exposed as a form or a URL parameter, the attacker injects '?' and payload after the movie name in the URL to overrides some global value.

    env-Web
    3

    When the arguments passed in the 'flashvars' attributes, the attacker injects '&' and payload in the URL.

    env-Web
    4

    If some of the attributes of the <object> tag are received as parameters, the 'flashvars' attribute is injected into the <object> tag without the creator of the Web page ever intending to allow arguments to be passed into the Flash file.

    env-Web
    5

    If shared objects are used to save data that is entered by the user persistent Flash parameter injection may occur, with malicious code being injected into the Flash file and executed, every time the Flash movie is loaded.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    At least one URL is found susceptible to flash parameter injection.
    2Failure
    No URL is found susceptible to injection.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    User input must be sanitized according to context before reflected back to the user.
+ Typical Severity

Medium

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

The following are examples for different types of parameters passed to the Flash movie.

DOM-based Flash parameter injection

<object>
<embed src="myFlash.swf" flashvars="location=http://example.com/index.htm#&globalVar=e-v-i-l"></embed>
</object>

Passing parameter in an embedded URI

<object type="application/x-shockwave-flash" data="myMovie.swf?globalVar=e-v-i-l" ></object>

Passing parameter in flashvars

<object type="application/x-shockwaMovie.swf" ve-flash" data="my flashvars="language=English&globalVar=e-v-i-l"></object>

Persistent Flash Parameter Injection

// Create a new shared object or read an existing one
mySharedObject = SharedObject.getLocal("flashToLoad");
if (_root.flashfile == undefined) {
// Check whether there is a shared object saved
if (mySharedObject.data.flash == null) {
// Set a default
value _root.flashfile = "defaultFlash.swf";
} else {
// Read the flash file to load from the shared object
_root.flashfile = mySharedObject.data.flash;
}
}
// Store the flash file's name in the shared object
mySharedObject.data.flash = _root.flashfile;
// Load the flash file
getURL(_root.flashfile);

If an unsuspecting user is lured by an attacker to click on link like this: http://example.com/vulnerable.swf?flashfile=javascript:alert(document.domain)

The result will be not merely a one-time execution of the JavaScript code in the victim's browser in the context of the domain with the vulnerable Flash file, but every time the Flash is loaded, whether by direct reference or embedded inside the same domain, the JavaScript will be executed again.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

The attacker need inject values into the global parameters to the Flash movie and understand the parent HTML document DOM structure. The attacker need be smart enough to convince the victim to his crafted link.

+ Resources Required

The attacker must convince the victim to click their crafted link.

+ Solutions and Mitigations

User input must be sanitized according to context before reflected back to the user. The JavaScript function 'encodeURI' is not always sufficient for sanitizing input intended for global Flash parameters. Extreme caution should be taken when saving user input in Flash cookies. In such cases the Flash file itself will need to be fixed and recompiled, changing the name of the local shared objects (Flash cookies).

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
"Varies by context"
Information Leakage
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
+ Injection Vector

User-controllable URL used as global parameter for Flash movies

+ Payload

Crafted value for global parameter and special characters.

+ Activation Zone

The embedded Flash movie and the parent HTML document.

+ Payload Activation Impact

The injected parameters can allow the attacker to get full control over the parent document's DOM model as well as other objects within the Flash movie.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Medium
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ References
[R.174.1] Yuval B., Ayal Y. and Adi S.. "Flash Parameter Injection: A Security Advisory". IBM Rational Security Team. September 24, 2008. <http://blog.watchfire.com/FPI.pdf>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015