However, Flash applications sometimes provide more functionality. For example,
Flash applications can create raw socket connections (via the Socket class). This allows
the attacker to craft his or her own complete HTTP packets (including cookies stolen via
the ExternalInterface class) or connect to other ports on allowed computers. Note
that the Socket connection can make connections only to the domain from which the
evil script originated, unless the attacker also reflected an insecure cross-domain policy
file to complete this attack.
Some developers protect AJAX responses from HTML injection by setting the MIME
type of the response to text/plain or anything other than text/html. HTML injection
will not work because the browser will not interpret the response as HTML. However,
Flash does not care what MIME type the cross-domain policy file is. So the attacker could
potentially use the AJAX response to reflect an insecure cross-domain policy file. This
allows an evil Flash application to make requests to the vulnerable web application on
behalf of the victim, read arbitrary pages on that domain, and create socket connections
to that domain. This style of attack is slightly weaker because the evil Flash application
cannot steal cookies (but it can still perform any action on behalf of the user), and it
cannot mimic the application to the victimized user (unless the evil Flash application
redirects the user to a domain controlled by the attacker).
Pages:
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121