Kangkai BKJIA
Adobe Flash technology has become increasingly popular. Now it is used not only to create animations and advertisements, but also to develop complex Internet applications. Flash applications (SWF files) not only can be distributed through the web protocol, but also can read local or remote files, establish network connections, and communicate with other SWF files. Through this article, you will learn about specific Flash attack methods, useful Flash Security Review techniques, and security-related development/configuration technologies.
I. XSS threats
Anyone engaged in Web application development or testing knows that Web applications have a common security vulnerability, known as cross-site scripting (XSS ). Generally, if an application accepts malicious code from untrusted sources and directly returns it to unprotected users without sanitizing the data, XSS occurs. Although Flash applications are not immune to XSS and other types of security threats, however, web administrators and Flash application developers can take appropriate security measures to improve the security of such emerging technologies.
Generally, during cross-site scripting attacks, attackers need to inject malicious script code (such as JavaScript or VBScript Code) into Web applications, this is usually done by deceiving users to click a link or access an evil web page. Then, the web application will display and execute the injected code in the context of the victim's web session. This attack usually results in user account theft, but does not cause command execution, unless the browser security vulnerability is also exploited. Because SWF programs can be embedded into websites and have full access to html dom (Document Object Model), they can be used to launch XSS attacks. Imagine a Free Email web service that displays third-party Flash ads: a malicious Advertiser can create a malicious SWF application to hijack your email account to send spam. By default, Flash Player has full access permissions to the DOM in the same domain.
The following describes the basic process of XSS attacks against SWF applications. Step 1: attackers must first try to inject code into the application so that the code can be re-displayed to other users. Adobe provides programmers with a variety of user interface components, such as a combo box, radio buttons, and text fields. Their usage is very similar to that of HTML form objects. In addition, there are many ways for SWF applications to accept parameters from external input.
We can use the <OBJECT> and <embed> labels to embed the FlashVar attribute into an HTML document.
498) this. style. width = 498; "border = 0> |
Figure 1 |
In addition, you can pass data directly through the URL:
498) this. style. width = 498; "border = 0> |
Figure 2 |
In addition, the class LoadVars can be used to load external data.
498) this. style. width = 498; "border = 0> |
Figure 3 |
FlashVars is automatically imported to the variable space of the Flash application for ActionScript 2. However, additional code is required to load external parameters in ActionScript 3. A common error is that, after receiving data from FlashVars or URL parameters, they are directly passed to those functions that communicate directly with the browser without proper input verification. The getURL function in ActionScript 2 and the navigateToURL function in ActionScript 3 can load the specified URL to a browser window. Consider the following ActionScript code:
498) this. style. width = 498; "border = 0> |
Figure 4 |
This Code uses a variable from an external source to call the function getURL, which redirects the user to the specified URL. For example, an attacker may create the following request:
498) this. style. width = 498; "border = 0> |
Figure 5 |
After the request is sent, a JavaScript warning box is displayed and the site cookie content is displayed. Cookies are often used to store sensitive account data, such as session identifiers. DOM is a standard object model used to represent HTML in a tree structure. DOM can be used by JavaScript code to dynamically explore or modify HTML pages. Consider the following JavaScript code, which will change the source attribute of the first image on this HTML page. After the Attribute source is modified, the image displayed on the page also changes.
498) this. style. width = 498; "border = 0> |
Figure 6 |
One common method for attackers is to insert a new image by modifying the html dom, and direct the Attribute source of the image to a file on the server controlled by the attacker, the cookie content is also used as a parameter. In this way, attackers can obtain cookie data as long as they monitor the logs of their computers. If the session id is contained in the session, the attacker can fully control the user's account until the session expires. Another ActionScript function can be used to launch XSS attacks. It is fscommand. SWF files can communicate with Flash Player or programs hosting Flash Player through this fscommand function. Generally, Flash Player will reside in a Web browser, but it can also be located in other programs that can host ActiveX controls. The fscommand function consists of one command and one parameter. The following fscommand function sends a changeText command. The parameters of this command are specified by FlashVar.