Home > CAPEC List > CAPEC-182: Flash Injection (Version 2.6)  

CAPEC-182: Flash Injection

 
Flash Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 182
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

Attack Execution Flow

Explore
  1. Find Injection Entry Points:

    The attacker first takes an inventory of the entry points of the application.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Spider the website for all available URLs that reference a Flash application.

    env-Web
    2

    List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The application has embedded Flash movies.

    env-Web
    2Negative

    The application does not have embedded Flash movies.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of URLs which has embedded Flash movies and the list of global uninitialized global variables, load variables to external movies.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Experiment
  1. Determine the application's susceptibility to Flash injection:

    Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg

    env-Web
    2

    Test the page using controlled evil page/host, http://example.com/evil.swf

    env-Web
    3

    Test the page using Flash HTML injection, "'><img src='asfunction:getURL,javascript:gotRoot("")//.jpg' >

    env-Web
    4

    Test the page using DOM injection, (gotRoot(''))

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Find at least one URL is susceptible to Flash injection.
    2Failure
    No URL is susceptible to injection found.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Perform input validation on both the client side and the server side.
Exploit
  1. Inject malicious content into target:

    Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase

+ Attack Prerequisites
  • The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.

+ Typical Severity

Medium

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

In the following example, the SWF file contains

getURL('javascript:SomeFunc("someValue")','','GET')

A request like

http://example.com/noundef.swf?a=0:0;alert('XSS')

becomes

javascript:SomeFunc("someValue")?a=0:0;alert(123)
+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

+ Resources Required

The attacker may need to be able to serve the injected Flash content, but otherwise no special resources are required.

+ Solutions and Mitigations

Implementation: remove sensitive information such as user name and password in the SWF file.

Implementation: use validation on both client and server side.

Implementation: remove debug information.

Implementation: use SSL when loading external data

Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
"Varies by context"
Information Leakage
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
+ Injection Vector

URL, the objects in the SWF file, script in the Web browser.

+ Payload

The crafted value injected to the URL or other objects in the SWF file.

+ Activation Zone

The application environment where the Flash runs.

+ Payload Activation Impact

Description

The injection can allow the attacker to get sensitive information, escalate privilege, execute commands and cross-site scripting using Flash etc.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ References
[R.182.1] Stefano Di Paola. "Finding Vulnerabilities in Flash Applications". OWASP Appsec 2007. November 15, 2007.
[R.182.2] Rudra K. Sinha Roy. "A Lazy Pen Tester's Guide to Testing Flash Applications". iViz. <http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/>.
[R.182.3] Peleus Uhley. "Creating More Secure SWF Web Application". Adobe Systems Incorporated. <http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

Page Last Updated: July 23, 2014