CAPEC-182 - Flash Injection

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation
  • Scopes 10
  • "Varies by context"
  • Confidentiality
  • Modify files or directories
  • Integrity
  • Read files or directories
  • Confidentiality
  • Modify application data
  • Integrity
  • Read memory
  • Confidentiality
  • Modify memory
  • Integrity
  • Read application data
  • Confidentiality
  • Execute unauthorized code or commands
  • Authorization
  • Gain privileges / assume identity
  • Non-Repudiation
  • Authorization
  • Authentication
  • Accountability
  • Bypass protection mechanism
  • Authorization
  • Access_Control

Medium level:

The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.

The attacker may need to be able to serve the injected Flash content, but otherwise no special resources are required.

Step 1 - Find Injection Entry Points

The attacker first takes an inventory of the entry points of the application..

Tecnique ID: 1 - Environment(s) env-Web

Spider the website for all available URLs that reference a Flash application.

Tecnique ID: 2 - Environment(s) env-Web

List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

The application has embedded Flash movies.

Indicator ID: 2 - Environment(s) env-Web

Type: Negative

The application does not have embedded Flash movies.


Security Control ID: 1

Type: Detective

Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).


Outcome ID: 1

Type: Success

A list of URLs which has embedded Flash movies and the list of global uninitialized global variables, load variables to external movies.



Step 1 - Determine the application's susceptibility to Flash injection

Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection..

Tecnique ID: 1 - Environment(s) env-Web

Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg

Tecnique ID: 2 - Environment(s) env-Web

Test the page using controlled evil page/host, http://example.com/evil.swf

Tecnique ID: 3 - Environment(s) env-Web

Test the page using Flash HTML injection, "'><img src='asfunction:getURL,javascript:gotRoot("")//.jpg' >

Tecnique ID: 4 - Environment(s) env-Web

Test the page using DOM injection, (gotRoot(''))

Security Control ID: 1

Type: Preventative

Perform input validation on both the client side and the server side.


Outcome ID: 1

Type: Success

Find at least one URL is susceptible to Flash injection.

Outcome ID: 2

Type: Failure

No URL is susceptible to injection found.



Step 1 - Inject malicious content into target

Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase.


Implementation: remove sensitive information such as user name and password in the SWF file.

Implementation: use validation on both client and server side.

Implementation: remove debug information.

Implementation: use SSL when loading external data

Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.