Dark Mode
Capec-182 Detail
Flash Injection
Standard Social Engineering Software Likelihood: High Typical Severity: Medium
Parents: 137
Children: 174 178
Threats: T290
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-182 | capec | https://capec.mitre.org/data/definitions/182.html | |
| CWE-20 | cwe | http://cwe.mitre.org/data/definitions/20.html | |
| CWE-184 | cwe | http://cwe.mitre.org/data/definitions/184.html | |
| CWE-697 | cwe | http://cwe.mitre.org/data/definitions/697.html | |
| REF-46 | reference_from_CAPEC | Stefano Di Paola, Finding Vulnerabilities in Flash Applications, OWASP Appsec 2007, 2007--11---15 | |
| REF-47 | reference_from_CAPEC | http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/ | Rudra K. Sinha Roy, A Lazy Pen Tester's Guide to Testing Flash Applications, iViz |
| REF-48 | reference_from_CAPEC | http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html | Peleus Uhley, Creating More Secure SWF Web Application, Adobe Systems Incorporated |
Explore
-
Find Injection Entry Points: The attacker first takes an inventory of the entry points of the application.
| Techniques |
|---|
| Spider the website for all available URLs that reference a Flash application. |
| List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies. |
Experiment
-
Determine the application's susceptibility to Flash injection: Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.
| Techniques |
|---|
| Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg |
| Test the page using controlled evil page/host, http://example.com/evil.swf |
Test the page using Flash HTML injection, "'>![](asfunction:getURL,javascript:gotRoot("")//.jpg) |
| Test the page using DOM injection, (gotRoot('')) |
Exploit
-
Inject malicious content into target: Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase
- The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.
- None: No specialized resources are required to execute this type of attack. The attacker may need to be able to serve the injected Flash content.
| Medium |
|---|
| The attacker needs to have knowledge of Flash, especially how to insert content the executes commands. |
| Integrity | Authorization | Access Control | Accountability | Authentication | Confidentiality | Non-Repudiation |
|---|---|---|---|---|---|---|
| Modify Data | Execute Unauthorized Commands (Run Arbitrary Code) | Bypass Protection Mechanism | Gain Privileges | Gain Privileges | Other (Information Leakage) | Gain Privileges |
| Gain Privileges | Read Data | |||||
| Bypass Protection Mechanism |
- In the following example, the SWF file contains getURL('javascript:SomeFunc("someValue")','','GET') A request like http://example.com/noundef.swf?a=0:0;alert('XSS') becomes javascript:SomeFunc("someValue")?a=0:0;alert(123)