Macromedia Flash has its own built in scripting language. ActionScript[6] (the scripting language) seems very simple to seasoned JavaScript coders as it uses a very similar syntax to JavaScript, C and PERL. However this same language can be used for complex animations, simulations, creation of games etc.. What’s interesting for us is the getURL() action[7]. This function allows us to redirect the end user to another page. The parameter would usually be a URL; something like “http://eyeonsecurity.net”, so that the script looks like this:
getURL(“http://eyeonsecurity.net”)
Suppose we specify a java script: URL instead:
getURL(“java script:alert(document.cookie)”)
The above example pops up a JavaScript alert box with the cookie belonging to the domain hosting the page that displays the flash document. This means that we have successfully injected JavaScript by making use of “features” within Internet Explorer and Flash. In the example Flash file we insert script similar to the above in the first frame as shown in the screenshot.
[Example sites and software vulnerable to the Flash! Attack]
Ezboard (http://www.ezboard.com/) is probably one of the best well-known free online Bulletin Board Systems around. This BBS which is HTTP-based, allows its users to have their signatures in flash by making use of the EMBED tag. Therefore in our tests we edit our preferences and specify the following code in the signature:
The below screenshot illustrates the idea better.
This code will be added to each post the attacker submits on the Ezboard forum, allowing him to steal the user’s session cookie.
DeviantART which is a very popular website, encourages it’s users to submit flash animations and creations to be viewed by other site members. Of course a malicious user with intent to steal user accounts and possibly administrative accounts, would create a new account, upload a malicious Flash file and wait for the results. No demonstration is available for this site.
MSN Communities[8] – this site allows users to upload their own files … amongst the files we uploaded were SWF files, which in turn execute JavaScript code. This is a very obvious security flaw. In a previous paper[9] on EyeonSecurity, named “Microsoft Passport Account Hijack Attack”, we outline how a single flaw in an MSN or Passport network site creates a significant security problem.
Anonymous services such as Anonymizer[10] and The-Cloak[11], are also vulnerable to this attack. These services try to filter out JavaScript from HTML pages, however fail to recognize the attack described here at the time of writing. Meaning that web master linking (or redirecting) its users to an SWF file can bypass the restrictions set up by these services.
Two specific Forum (BBS) software, which are particularly vulnerable to this attack, are Ikonboard and YaBB[12]. These particular forums allow only specific custom tags which are then parsed by the Web Application to produce the end result. However these forums allow flash animations to be embedded within the page by using the [flash] special tag, which is converted to the correct Object tag.
Example
The above would be interpreted by the script and transformed to:
Of course these specific examples are not the only vulnerable systems around. Any online service, which allows Flash content to be inserted is vulnerable to XSS attacks. The vendors and services described in this section have been notified of the flaw before this document has been made public. This means that the specific examples outlined in this section might have been fixed when you are reading this.
[Fixing the issue]
Simple solution: DO NOT ALLOW FLASH FILES IN YOUR WEB APP.
However in most cases, the solution is not that simple. Consider the case for deviantART for example. Flash animations
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 黑客大战直播网址 黑客
最新文章
黑客大战直播网址 黑客什么是木马,什么是木马
计算机病毒是指什么什么是木马,什么是木马病毒黑客破解密码常用的方法告诉你黑客的Google搜索技巧
人气排行 如何攻击局域网电脑无线网络密码破解教程(破解无线路由WEP加密网站获得系统权限攻击教程流光破解ftp密码教程计算机病毒是指什么黑客破解密码常用的方法如何命令行/DOS下列出进程名与进程文件路径2010黑客工具
查看所有1条评论>>