CAPEC-246 - Cross-Site Scripting Using Flash

An attacker injects malicious script to global parameters in a Flash movie via a crafted URL. The malicious script is executed in the context of the Flash movie. As such, this is a form of Cross-Site Scripting (XSS), but the abilities granted to the Flash movie make this attack more flexible.

Severity

Likelihood

Confidentiality

Integrity

Availability

Step 1 - Spider

Using a browser or an automated tool, an attacker records all instances of Flash movies and verifies that known variables allow for simple XSS..

Tecnique ID: 1 - Environment(s) env-Web

Use search engines to locate SWF files (Flash movie files) that can be accessed via a URL containing known variable parameters.

Tecnique ID: 2 - Environment(s) env-Web

Use a search engine to locate SWF files on a specific file server.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

A SWF Flash movie file that is accessed via a URL using a global or known variable has been located, or a potential SWF file on a specific target server has been located.

Indicator ID: 2 - Environment(s) env-Web

Type: Inconclusive

A SWF Flash movie file has not been located.


Security Control ID: 1

Type: Detective

Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).


Outcome ID: 1

Type: Success

A list of SWF files with the potential for XSS.



Step 1 - Determine the SWF file susceptibility to XSS

Determine the SWF file susceptibility to XSS. For each SWF file identified in the Explore phase, the attacker attempts to use various techniques such as reverse engineering and various XSS attacks to determine the vulnerability of the file..

Tecnique ID: 1 - Environment(s) env-Web

Compile a list of all variables, both global and specific to the file, that might invoke the getURL function.

Tecnique ID: 2 - Environment(s) env-Web

Test each variable by overwriting the variable amount via the URL, by adding "javascript:" followed by a simple JavaScript command such as "alert('xss')".

Security Control ID: 1

Type: Preventative

User input must be sanitized according to context before reflected back to the user.


Outcome ID: 1

Type: Success

At least one variable is found susceptible to flash cross-site scripting.

Outcome ID: 2

Type: Failure

No variable is found susceptible to flash cross-site scripting.