32 HAKIN9
ATTACK
5/2008
Those of you who develop or test web
applications should be familiar with a
common security vulnerability known as
cross-site scripting (XSS). XSS typically occurs
when an application accepts malicious code from
an untrusted source, and then displays it back to
an unsuspecting user without properly sanitizing
the data. Flash applications are not immune
to XSS and other types of security threats, but
both web administrators and Flash application
developers can take security precautions to more
safely use the emerging technology.
XSS Threats
Cross-site scripting attacks typically involve the
injection of malicious scripting code, such as
JavaScript or VBScript code, into a web application.
This is frequently accomplished by tricking a user
into clicking a link or visiting a nefarious web page.
The web application will later display and execute
the injected code in the context of the victim’s web
session. Such an attack usually leads to a user
account compromise and does not normally allow
for command execution unless exploited together
with a browser flaw. Since SWF applications can be
embedded into websites and have full access to
the HTML DOM (Document Object Model), they can
be abused to conduct XSS attacks. Picture a free
email web service that displays 3rd party Flash
advertisements. An evil advertisement agency
could create a malicious SWF application that
would hijack your email account to send spam. By
NEIL BERGMAN
WHAT YOU
WILL LEARN...
Specific Flash attack vectors
Useful Flash security auditing
tips
Proper development/
configuration techniques
WHAT YOU
SHOULD KNOW
Basic knowledge of ActionScript
Familiarity with XSS attacks
default the Flash Player has full DOM access on
the same domain.
The basic flow of an XSS attack against a SWF
application is shown in Figure 1. In the first step, an
attacker must first figure out a way to inject code
into the application in order to redisplay it to another
user. Adobe provides a variety of UI components
f