Home > CAPEC List > CAPEC-178: Cross-Site Flashing (Version 2.10)  

CAPEC-178: Cross-Site Flashing

 
Cross-Site Flashing
Definition in a New Window Definition in a New Window
Attack Pattern ID: 178
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.

+ Attack Execution Flow
Explore
  1. Identification:

    Using a browser or an automated tool, an attacker records all instances of URLs (or partial URL such as domain) passed to a flash file (SWF).

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use an automated tool to record the variables passed to a flash file.

    env-Web
    2

    Use a browser to manually explore the website and analyze how the flash file receive variables, e.g. JavaScript using SetVariable/GetVariable, HTML FlashVars param tag, etc.

    env-Web
    3

    Use decompilers to retrieve the flash source code and record all user-controllable variables passed to a loadMovie* directive.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    A URL is passed as parameter to a flash file (SWF).

    env-Web
    2Inconclusive

    No variable appear on the URL. Even though none appear, the flash movie may still use them if they are provided.

    env-Web
    3Negative

    Application doesn't use variable to specify what URL to load remote flash movies from.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of flash files, with their corresponding parameters is created by the attacker.
Experiment
  1. Attempt to inject a remote flash file:

    The attacker makes use of a remotely available flash file (SWF) that generates a uniquely identifiable output when executed inside the targeted flash file.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Modify the variable of the SWF file that contains the remote movie URL to the attacker controlled flash file.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The attacker's flash movie is being executed in the targeted movie.

    env-Web
    2Inconclusive

    The targeted flash movie doesn't appear to allow the inclusion of flash movies from untrusted domains (specified in the crossdomain.xml or in the flash movie itself).

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker's flash movie can access the targeted flash movie internal variables
    2Failure
    The attacker's flash movie cannot access any content of the targeted flash movie
Exploit
  1. Access or Modify Flash Application Variables:

    As the attacker succeeds in exploiting the vulnerability, he targets the content of the flash application to steal variable content, password, etc.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and loaded by the victim browser's flash plugin and sends document information to the attacker.

    env-Web
    2

    Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the flash application to execute appropriately.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker gets the user's session identifiers or other type of credentials
    2Success
    The attacker gets the content of the variables used in the flash application
    3Success
    The attacker causes the flash application to be remotely controlled

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Apply appropriate configuration settings for cross domain flash applications in the crossdomain.xml file.
    2Preventative
    Apply appropriate configuration settings for cross domain flash applications inside the flash application.
  2. Execute JavaScript in victim's browser:

    When the attacker targets the current flash application, he can choose to inject JavaScript in the client's DOM and therefore execute cross-site scripting attack.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Develop malicious JavaScript that is injected from the rogue flash movie to the targeted flash application through vectors identified during the Experiment Phase and loaded by the victim's browser.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker is able to execute a DOM based cross-site scripting attack on the victim.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Apply appropriate configuration settings for cross domain flash applications in the crossdomain.xml file.
    2Preventative
    Apply appropriate configuration settings for cross domain flash applications inside the flash application.
+ Attack Prerequisites
  • The targeted Flash application must reference external URLs and the locations thus referenced must be controllable through parameters. The Flash application must fail to sanitize such parameters against malicious manipulation. The victim must follow a crafted link created by the attacker.

+ Typical Severity

Medium

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

The attacker tries to get his malicious flash movie to be executed in the targeted flash application. The malicious file is hosted on the attacker.com domain and the targeted flash application is hosted on example.com The crossdomain.xml file in the root of example.com allows all domains and no specific restriction is specified in the targeted flash application. When the attacker injects his malicious file in the vulnerable flash movie, the rogue flash application is able to access internal variables and parameter of the flash movie.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

knowledge of Flash internals, parameters and remote referencing.

+ Solutions and Mitigations

Implementation: Only allow known URL to be included as remote flash movies in a flash application

Configuration: Properly configure the crossdomain.xml file to only include the known domains that should host remote flash movies.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
+ Injection Vector

Externally controllable external URL references within a flash file (SWF).

+ Payload

Any HTTP Request transport variables (GET, POST, Headers, etc.).

+ Activation Zone

Flash plugin inside the client web browser where script is executed.

+ Payload Activation Impact

Client web browser may be used to steal session data, passwords and other information which transit through the vulnerable flash application.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Web
Client-Server
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ References
[R.178.1] Stefano Di Paola. "Testing Flash Applications". 2007. <http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf>.
[R.178.2] [REF-4] "OWASP Testing Guide". Testing for Cross site flashing (OWASP-DV-004). v4 [DRAFT]. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004)>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017