CAPEC-182: Flash Injection
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
执行流程
步骤 1 Explore
[Find Injection Entry Points] The attacker first takes an inventory of the entry points of the application.
- Spider the website for all available URLs that reference a Flash application.
- List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.
步骤 2 Experiment
[Determine the application's susceptibility to Flash injection] Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.
- Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg
- Test the page using controlled evil page/host, http://example.com/evil.swf
- Test the page using Flash HTML injection, "'><img src='asfunction:getURL,javascript:gotRoot("")//.jpg' >
- Test the page using DOM injection, (gotRoot(''))
步骤 3 Exploit
[Inject malicious content into target] Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase
前提条件
- The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.
所需技能
所需资源
- None: No specialized resources are required to execute this type of attack. The attacker may need to be able to serve the injected Flash content.
后果影响
影响范围: Confidentiality
技术影响: Other
说明: Information Leakage
影响范围: Integrity
技术影响: Modify Data
影响范围: Confidentiality
技术影响: Read Data
影响范围: Authorization
技术影响: Execute Unauthorized Commands
说明: Run Arbitrary Code
影响范围: Accountability Authentication Authorization Non-Repudiation
技术影响: Gain Privileges
影响范围: Access Control Authorization
技术影响: Bypass Protection Mechanism
缓解措施
Implementation: remove sensitive information such as user name and password in the SWF file.
Implementation: use validation on both client and server side.
Implementation: remove debug information.
Implementation: use SSL when loading external data
Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.