Home > CAPEC List > CAPEC-182: Flash Injection (Version 2.11)  

CAPEC-182: Flash Injection

 
Flash Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 182
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

+ Attack Steps
Explore
  1. Find Injection Entry Points: The attacker first takes an inventory of the entry points of the application.

    Spider the website for all available URLs that reference a Flash application.

    List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.

Experiment
  1. Determine the application's susceptibility to Flash injection: Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.

    Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg

    Test the page using controlled evil page/host, http://example.com/evil.swf

    Test the page using Flash HTML injection, "'><img src='asfunction:getURL,javascript:gotRoot("")//.jpg' >

    Test the page using DOM injection, (gotRoot(''))

Exploit
  1. Inject malicious content into target: Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase

+ Attack Prerequisites
  • The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.

+ Typical Severity

Medium

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

In the following example, the SWF file contains

getURL('javascript:SomeFunc("someValue")','','GET')

A request like

http://example.com/noundef.swf?a=0:0;alert('XSS')

becomes

javascript:SomeFunc("someValue")?a=0:0;alert(123)
+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

+ Resources Required

None: No specialized resources are required to execute this type of attack. The attacker may need to be able to serve the injected Flash content.

+ Solutions and Mitigations

Implementation: remove sensitive information such as user name and password in the SWF file.

Implementation: use validation on both client and server side.

Implementation: remove debug information.

Implementation: use SSL when loading external data

Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
"Varies by context"
Information Leakage
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
+ Injection Vector

URL, the objects in the SWF file, script in the Web browser.

+ Payload

The crafted value injected to the URL or other objects in the SWF file.

+ Activation Zone

The application environment where the Flash runs.

+ Payload Activation Impact

The injection can allow the attacker to get sensitive information, escalate privilege, execute commands and cross-site scripting using Flash etc.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ References
[R.182.1] Stefano Di Paola. "Finding Vulnerabilities in Flash Applications". OWASP Appsec 2007. November 15, 2007.
[R.182.2] Rudra K. Sinha Roy. "A Lazy Pen Tester's Guide to Testing Flash Applications". iViz. <http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/>.
[R.182.3] Peleus Uhley. "Creating More Secure SWF Web Application". Adobe Systems Incorporated. <http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017