CAPEC-182

Flash Injection
Hoch
Mittel
Draft
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Benachrichtigung für ein CAPEC
Bleiben Sie über alle Änderungen zu einem bestimmten CAPEC informiert.
Benachrichtigungen verwalten

CAPEC-Beschreibungen

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

CAPEC-Informationen

Ausführungsablauf

1) Explore

[Find Injection Entry Points] The attacker first takes an inventory of the entry points of the application.

Technik
  • Spider the website for all available URLs that reference a Flash application.
  • List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.
2) Experiment

[Determine the application's susceptibility to Flash injection] Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.

Technik
  • Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg
  • Test the page using controlled evil page/host, http://example.com/evil.swf
  • Test the page using Flash HTML injection, "'>
  • Test the page using DOM injection, (gotRoot(''))
3) Exploit

[Inject malicious content into target] Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase

Voraussetzungen

The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.

Erforderliche Kenntnisse

The attacker needs to have knowledge of Flash, especially how to insert content the executes commands.

Erforderliche Ressourcen

None: No specialized resources are required to execute this type of attack. The attacker may need to be able to serve the injected Flash content.

Gegenmaßnahmen

Implementation: remove sensitive information such as user name and password in the SWF file.
Implementation: use validation on both client and server side.
Implementation: remove debug information.
Implementation: use SSL when loading external data
Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.

Verwandte Schwachstellen

CWE-ID Name der Schwachstelle

CWE-20

 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-184

 Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

CWE-697

 Incorrect Comparison
The product compares two entities in a security-relevant context, but the comparison is incorrect.

Referenzen

REF-46

Finding Vulnerabilities in Flash Applications
Stefano Di Paola.

REF-47

A Lazy Pen Tester's Guide to Testing Flash Applications
Rudra K. Sinha Roy.
http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/

REF-48

Creating More Secure SWF Web Application
Peleus Uhley.
http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html

Einreichung

Name Organisation Datum Veröffentlichungsdatum
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Änderungen

Name Organisation Datum Kommentar
CAPEC Content Team The MITRE Corporation 2017-05-01 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Resources_Required
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Attacker_Skills_or_Knowledge_Required
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Consequences
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Example_Instances
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.