An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
Find Injection Entry Points: The attacker first takes an inventory of the entry points of the application.
Spider the website for all available URLs that reference a Flash application.
List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.
Determine the application's susceptibility to Flash injection: Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.
Test the page using controlled evil page/host, http://example.com/evil.swf
Test the page using DOM injection, (gotRoot(''))
Inject malicious content into target: Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase
The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.
More information is available — Please select a different filter.
Page Last Updated or Reviewed:
July 31, 2017
Use of the Common Attack Pattern Enumeration and Classification dictionary and classification taxonomy, and the associated references from this website, are subject to the