CAPEC-174

Flash Parameter Injection
Hoch
Mittel
Draft
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Benachrichtigung für ein CAPEC
Bleiben Sie über alle Änderungen zu einem bestimmten CAPEC informiert.
Benachrichtigungen verwalten

CAPEC-Beschreibungen

An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document.

CAPEC-Informationen

Ausführungsablauf

1) Explore

[Spider] Using a browser or an automated tool, an adversary records all instances of HTML documents that have embedded Flash files. If there is an embedded Flash file, they list how to pass global parameters to the Flash file from the embedding object.

Technik
  • Use an automated tool to record all instances of URLs which have embedded Flash files and list the parameters passing to the Flash file.
  • Use a browser to manually explore the website to see whether the HTML document has embedded Flash files or not and list the parameters passing to the Flash file.
2) Experiment

[Determine the application susceptibility to Flash parameter injection] Determine the application susceptibility to Flash parameter injection. For each URL identified in the Explore phase, the adversary attempts to use various techniques such as DOM based, reflected, flashvars, and persistent attacks depending on the type of parameter passed to the embedded Flash file.

Technik
  • When the JavaScript 'document.location' variable is used as part of the parameter, inject '#' and the payload into the parameter in the URL.
  • When the name of the Flash file is exposed as a form or a URL parameter, the adversary injects '?' and the payload after the file name in the URL to override some global value.
  • When the arguments passed in the 'flashvars' attributes, the adversary injects '&' and payload in the URL.
  • If some of the attributes of the tag are received as parameters, the 'flashvars' attribute is injected into the tag without the creator of the Web page ever intending to allow arguments to be passed into the Flash file.
  • If shared objects are used to save data that is entered by the user persistent Flash parameter injection may occur, with malicious code being injected into the Flash file and executed, every time the Flash file is loaded.
    • 3) Exploit

    [Execute Flash Parameter Injection Attack] Inject parameters into Flash file. Based on the results of the Experiment phase, the adversary crafts the underlying malicious URL containing injected Flash parameters and submits it to the web server. Once the web server receives the request, the embedding HTML document will controllable by the adversary.

    Technik
    • Craft underlying malicious URL and send it to the web server to take control of the embedding HTML document.

    Erforderliche Kenntnisse

    The adversary need inject values into the global parameters to the Flash file and understand the parent HTML document DOM structure. The adversary needs to be smart enough to convince the victim to click on their crafted link.

    Erforderliche Ressourcen

    The adversary must convince the victim to click their crafted link.

    Gegenmaßnahmen

    User input must be sanitized according to context before reflected back to the user. The JavaScript function 'encodeURI' is not always sufficient for sanitizing input intended for global Flash parameters. Extreme caution should be taken when saving user input in Flash cookies. In such cases the Flash file itself will need to be fixed and recompiled, changing the name of the local shared objects (Flash cookies).

    Verwandte Schwachstellen

    CWE-ID Name der Schwachstelle

    CWE-88

    		 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
    The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

    Referenzen

    REF-40

    Flash Parameter Injection: A Security Advisory
    Yuval B., Ayal Y., Adi S..
    http://blog.watchfire.com/FPI.pdf

    REF-560

    Elaborate Ways to Exploit XSS: Flash Parameter Injection (FPI)
    https://www.acunetix.com/blog/articles/elaborate-ways-exploit-xss-flash-parameter-injection/

    Einreichung

    Name Organisation Datum Veröffentlichungsdatum
    CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

    Änderungen

    Name Organisation Datum Kommentar
    CAPEC Content Team The MITRE Corporation 2017-05-01 +00:00 Updated Attack_Phases, Description Summary, Related_Attack_Patterns
    CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Description, Example_Instances, Execution_Flow, References, Related_Attack_Patterns, Related_Weaknesses, Skills_Required
    CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Related_Attack_Patterns
    CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Execution_Flow, Skills_Required
    CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Example_Instances, Execution_Flow, Extended_Description, Resources_Required, Skills_Required
    CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Example_Instances
    Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.