PARTS:
Part 16
Part 17
Part 18
Part 19
Part 20
Part 21
Part 22
WHAT'S HOT
Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos
"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"
swf?userinput2=pwn3d%3Cimg+src%3D%22a
sfunction%3AgetURL%2Cjavascript%3Aalert%281%29//.jpg%22%3E
Chapter 9: Attacking Flash Applications 233
This attack was first described by Stefano Di Paola of Minded Security in 2007.
Security researchers should pay particular attention to this modest researcher??™s findings
because Stefano continually finds amazing things.
Alternatively, an attacker may leverage the fact that Flash treats images, movies, and
sounds identically, and inject
where HackWorld.swf contains malicious JavaScript. This loads HackWorld.swf in the
domain of the vulnerable SWF, resulting in the same compromise as the asfunction:
based injection.
XSS via loadMovie() and Other URL Loading Functions
Popularity: 3
Simplicity: 7
Impact: 8
Risk Rating: 8
Consider userinput3 in the VulnerableMovie code. If userinput3 is specified,
then VulnerableMovie calls loadMovie(_root.userinput3); and an attacker could
load any movie or URL of his or her choosing. For example, loading the URL asfunction:
getURL,javascript:alert(1)// would cause an XSS. The full attack URL is this:
http://example.com/VulnerableMovie.swf?userinput3=asfunction%3AgetURL%2C
javascript%3Aalert%281%29//
The // at the end of the attack URL is not necessary to exploit VulnerableMovie, but
// comes in very handy to comment out data concatenated to the user-definable input
within the Flash application, such as when a vulnerable Flash application has this line
of code:
_root.
Pages:
383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407
sfunction%3AgetURL%2Cjavascript%3Aalert%281%29//.jpg%22%3E
Chapter 9: Attacking Flash Applications 233
This attack was first described by Stefano Di Paola of Minded Security in 2007.
Security researchers should pay particular attention to this modest researcher??™s findings
because Stefano continually finds amazing things.
Alternatively, an attacker may leverage the fact that Flash treats images, movies, and
sounds identically, and inject
where HackWorld.swf contains malicious JavaScript. This loads HackWorld.swf in the
domain of the vulnerable SWF, resulting in the same compromise as the asfunction:
based injection.
XSS via loadMovie() and Other URL Loading Functions
Popularity: 3
Simplicity: 7
Impact: 8
Risk Rating: 8
Consider userinput3 in the VulnerableMovie code. If userinput3 is specified,
then VulnerableMovie calls loadMovie(_root.userinput3); and an attacker could
load any movie or URL of his or her choosing. For example, loading the URL asfunction:
getURL,javascript:alert(1)// would cause an XSS. The full attack URL is this:
http://example.com/VulnerableMovie.swf?userinput3=asfunction%3AgetURL%2C
javascript%3Aalert%281%29//
The // at the end of the attack URL is not necessary to exploit VulnerableMovie, but
// comes in very handy to comment out data concatenated to the user-definable input
within the Flash application, such as when a vulnerable Flash application has this line
of code:
_root.
Pages:
383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407