An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.
Identification: Using a browser or an automated tool, an attacker records all instances of URLs (or partial URL such as domain) passed to a flash file (SWF).
Use an automated tool to record the variables passed to a flash file.
Use decompilers to retrieve the flash source code and record all user-controllable variables passed to a loadMovie* directive.
Attempt to inject a remote flash file: The attacker makes use of a remotely available flash file (SWF) that generates a uniquely identifiable output when executed inside the targeted flash file.
Modify the variable of the SWF file that contains the remote movie URL to the attacker controlled flash file.
Access or Modify Flash Application Variables: As the attacker succeeds in exploiting the vulnerability, he targets the content of the flash application to steal variable content, password, etc.
Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and loaded by the victim browser's flash plugin and sends document information to the attacker.
Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the flash application to execute appropriately.
The targeted Flash application must reference external URLs and the locations thus referenced must be controllable through parameters. The Flash application must fail to sanitize such parameters against malicious manipulation. The victim must follow a crafted link created by the attacker.
Typical Likelihood of Exploit
Methods of Attack
The attacker tries to get his malicious flash movie to be executed in the targeted flash application. The malicious file is hosted on the attacker.com domain and the targeted flash application is hosted on example.com The crossdomain.xml file in the root of example.com allows all domains and no specific restriction is specified in the targeted flash application. When the attacker injects his malicious file in the vulnerable flash movie, the rogue flash application is able to access internal variables and parameter of the flash movie.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
knowledge of Flash internals, parameters and remote referencing.
Solutions and Mitigations
Implementation: Only allow known URL to be included as remote flash movies in a flash application
Configuration: Properly configure the crossdomain.xml file to only include the known domains that should host remote flash movies.
Modify files or directories
Read files or directories
Modify application data
Read application data
Execute unauthorized code or commands
Run Arbitrary Code
Gain privileges / assume identity
Bypass protection mechanism
Externally controllable external URL references within a flash file (SWF).
Any HTTP Request transport variables (GET, POST, Headers, etc.).
Flash plugin inside the client web browser where script is executed.
Payload Activation Impact
Client web browser may be used to steal session data, passwords and other information which transit through the vulnerable flash application.
More information is available — Please select a different filter.
Page Last Updated or Reviewed:
July 31, 2017
Use of the Common Attack Pattern Enumeration and Classification dictionary and classification taxonomy, and the associated references from this website, are subject to the