Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos
"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"
Consider the following Flash application that takes user input: class VulnerableMovie { static var app : VulnerableMovie; function VulnerableMovie() { _root.createTextField("tf",0,100,100,640,480); if (_root.userinput1 != null) { getURL(_root.userinput1); } _root.tf.html = true; // default is safely false _root.tf.htmlText = "Hello " + _root.userinput2; 230 Hacking Exposed Web 2.0 if (_root.userinput3 != null ) { _root.loadMovie(_root.userinput3); } } static function main(mc) { app = new VulnerableMovie(); } } Imagine that this code came from downloading an SWF and decompiling it. This Flash application takes three user-definable inputs??”userinput1, userinput2, and userinput3??”via URL parameters in the source of the object tag like this: