We
describe some interesting aspects to Flash??™s security model here. However, first we
briefly describe some interesting features of Flash that JavaScript does not possess.
Flash??™s scripting language is called ActionScript. ActionScript is similar to JavaScript
and includes some interesting classes from an attacker??™s perspective:
??? The class Socket allows the developer to create raw TCP socket connections
to allowed domains, for purposes such as crafting complete HTTP requests
with spoofed headers such as referrer. Also, Socket can be used to scan some
network computers and ports accessible that are not accessible externally.
??? The class ExternalInterface allows the developer to run JavaScript in
the browser from Flash, for purposes such as reading from and writing to
document.cookie.
??? The classes XML and URLLoader perform HTTP requests (with the browser
cookies) on behalf of the user to allowed domains, for purposes such as crossdomain
requests.
By default, the security model for Flash is similar to that of the same origin policy.
Namely, Flash can read responses from requests only from the same domain from which
the Flash application originated. Flash also places some security around making HTTP
requests, but you can make cross-domain GET requests via Flash??™s getURL function.
Pages:
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101