Home > CAPEC List > CAPEC-174: Flash Parameter Injection (Version 3.2)  

CAPEC-174: Flash Parameter Injection

Attack Pattern ID: 174
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document. These 'FlashVars' are most often passed to the Flash file via URL arguments or from the Object or Embed tag within the embedding HTML document. If these FlashVars are not properly sanitized, an adversary may be able to embed malicious content (such as scripts) into the HTML document. The injected parameters can also provide the adversary control over other objects within the Flash file as well as full control over the parent document's DOM model. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. Flash Parameter Injection attacks can also preface further attacks such as various forms of Cross-Site Scripting (XSS) attacks in addition to Session Hijacking attacks.
+ Likelihood Of Attack

High

+ Typical Severity

Medium

+ Relationships

The table below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.182Flash Injection
CanAlsoBeDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.460HTTP Parameter Pollution (HPP)
CanPrecedeStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.63Cross-Site Scripting (XSS)
CanPrecedeDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.178Cross-Site Flashing

The table below shows the views that this attack pattern belongs to and top level categories within that view.

+ Execution Flow
Explore
  1. Spider: Using a browser or an automated tool, an adversary records all instances of HTML documents that have embedded Flash files. If there is an embedded Flash file, he lists how to pass global parameters to the Flash file from the embedding object.

    Techniques
    Use an automated tool to record all instances of URLs which have embedded Flash files and list the parameters passing to the Flash file.
    Use a browser to manually explore the website to see whether the HTML document has embedded Flash files or not and list the parameters passing to the Flash file.
Experiment
  1. Determine the application susceptibility to Flash parameter injection: Determine the application susceptibility to Flash parameter injection. For each URL identified in the Explore phase, the adversary attempts to use various techniques such as DOM based, reflected, flashvars, and persistent attacks depending on the type of parameter passed to the embedded Flash file.

    Techniques
    When the JavaScript 'document.location' variable is used as part of the parameter, inject '#' and the payload into the parameter in the URL.
    When the name of the Flash file is exposed as a form or a URL parameter, the attacker injects '?' and the payload after the file name in the URL to override some global value.
    When the arguments passed in the 'flashvars' attributes, the attacker injects '&' and payload in the URL.
    If some of the attributes of the <object> tag are received as parameters, the 'flashvars' attribute is injected into the <object> tag without the creator of the Web page ever intending to allow arguments to be passed into the Flash file.
    If shared objects are used to save data that is entered by the user persistent Flash parameter injection may occur, with malicious code being injected into the Flash file and executed, every time the Flash file is loaded.
Exploit
  1. Execute Flash Parameter Injection Attack: Inject parameters into Flash file. Based on the results of the Experiment phase, the adversary crafts the underlying malicious URL containing injected Flash parameters and submits it to the web server. Once the web server receives the request, the embedding HTML document will controllable by the adversary.

    Techniques
    Craft underlying malicious URL and send it to the web server to take control of the embedding HTML document.
+ Skills Required
[Level: Medium]
The attacker need inject values into the global parameters to the Flash file and understand the parent HTML document DOM structure. The attacker need be smart enough to convince the victim to his crafted link.
+ Resources Required
The attacker must convince the victim to click their crafted link.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Other
Authorization
Execute Unauthorized Commands
+ Mitigations
User input must be sanitized according to context before reflected back to the user. The JavaScript function 'encodeURI' is not always sufficient for sanitizing input intended for global Flash parameters. Extreme caution should be taken when saving user input in Flash cookies. In such cases the Flash file itself will need to be fixed and recompiled, changing the name of the local shared objects (Flash cookies).
+ Example Instances

The following are examples for different types of parameters passed to the Flash file.

DOM-based Flash parameter injection
<object>
<embed src="myFlash.swf" flashvars="location=http://example.com/index.htm#&globalVar=e-v-i-l"></embed>
</object>
Passing parameter in an embedded URI
<object type="application/x-shockwave-flash" data="myfile.swf?globalVar=e-v-i-l" ></object>
Passing parameter in flashvars
<object type="application/x-shockwafile.swf" ve-flash" data="my flashvars="language=English&globalVar=e-v-i-l"></object>
Persistent Flash Parameter Injection
// Create a new shared object or read an existing one
mySharedObject = SharedObject.getLocal("flashToLoad"); if (_root.flashfile == undefined) {
// Check whether there is a shared object saved
if (mySharedObject.data.flash == null) {
// Set a default
value _root.flashfile = "defaultFlash.swf";
} else {
// Read the flash file to load from the shared object
_root.flashfile = mySharedObject.data.flash;
}
}
// Store the flash file's name in the shared object
mySharedObject.data.flash = _root.flashfile;
// Load the flash file
getURL(_root.flashfile);

If an unsuspecting user is lured by an attacker to click on link like this: http://example.com/vulnerable.swf?flashfile=javascript:alert(document.domain)

The result will be not merely a one-time execution of the JavaScript code in the victim's browser in the context of the domain with the vulnerable Flash file, but every time the Flash is loaded, whether by direct reference or embedded inside the same domain, the JavaScript will be executed again.

+ References
[REF-40] Yuval B., Ayal Y. and Adi S.. "Flash Parameter Injection: A Security Advisory". IBM Rational Security Team. 2008-09-24. <http://blog.watchfire.com/FPI.pdf>.
[REF-560] "Elaborate Ways to Exploit XSS: Flash Parameter Injection (FPI)". Acunetix. 2014-04-08. <https://www.acunetix.com/blog/articles/elaborate-ways-exploit-xss-flash-parameter-injection/>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-05-01CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases, Description Summary, Related_Attack_Patterns
2019-04-04CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Execution_Flow, References, Related_Attack_Patterns, Related_Weaknesses, Skills_Required
2019-09-30CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 30, 2019