Home > CAPEC List > CAPEC-246: Cross-Site Scripting Using Flash (Version 2.4)  

CAPEC-246: Cross-Site Scripting Using Flash

 
Cross-Site Scripting Using Flash
Definition in a New Window Definition in a New Window
Attack Pattern ID: 246
Abstraction: Standard
Status: Draft
Completeness: Hook
+ Description

Summary

An attacker injects malicious script to global parameters in a Flash movie via a crafted URL. The malicious script is executed in the context of the Flash movie. As such, this is a form of Cross-Site Scripting (XSS), but the abilities granted to the Flash movie make this attack more flexible.

Attack Execution Flow

Explore
  1. Spider:

    Using a browser or an automated tool, an attacker records all instances of Flash movies and verifies that known variables allow for simple XSS.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use search engines to locate SWF files (Flash movie files) that can be accessed via a URL containing known variable parameters.

    env-Web
    2

    Use a search engine to locate SWF files on a specific file server.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    A SWF Flash movie file that is accessed via a URL using a global or known variable has been located, or a potential SWF file on a specific target server has been located.

    env-Web
    2Inconclusive

    A SWF Flash movie file has not been located.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of SWF files with the potential for XSS.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Experiment
  1. Determine the SWF file susceptibility to XSS:

    Determine the SWF file susceptibility to XSS. For each SWF file identified in the Explore phase, the attacker attempts to use various techniques such as reverse engineering and various XSS attacks to determine the vulnerability of the file.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Compile a list of all variables, both global and specific to the file, that might invoke the getURL function.

    env-Web
    2

    Test each variable by overwriting the variable amount via the URL, by adding "javascript:" followed by a simple JavaScript command such as "alert('xss')".

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    At least one variable is found susceptible to flash cross-site scripting.
    2Failure
    No variable is found susceptible to flash cross-site scripting.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    User input must be sanitized according to context before reflected back to the user.
+ Content History
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2013-06-21Updated Attack_Step_Description, Attack_Step_Technique_Description, Attack_Step_Title, Environments, Indicator_Description, Outcome_Description, Security_Control_Description, and SummaryInternal

Page Last Updated: April 10, 2014