main(this);
}
}
Note that Flare created readable and functionally equivalent ActionScript for
HackWorld.swf.
Now that you are familiar with both MTASC and Flare, consider the various attacks
that can be perform with JavaScript.
XSS AND XSF VIA FLASH APPLICATIONS
Recall from Chapter 2 that the root cause of XSS is that vulnerable servers do not validate
user-definable input, so an attacker can inject HTML that includes malicious JavaScript.
The HTML injection is due to a programming flaw on the server that allows attackers to
mount XSS attacks. However, XSS can also occur through client side Flash applications. XSS
via web applications occurs when user-definable input within the Flash application is not
properly validated. The XSS executes on the domain that servers the Flash application.
Like server-side developers, Flash developers must validate user input in their Flash
applications or they risk XSS via their Flash applications. Unfortunately, many Flash
developers do not validate input; hence, there are many many XSSs in Flash applications,
including automatically generated Flash applications.
Finding XSS in Flash applications is arguably easier than finding XSS on web
applications because attackers can decompile Flash applications and find security issues
in the source code, rather than blindly testing server-side web applications.
Pages:
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401