Use flash to determine the image format from the data stream to prevent xss attacks

Source: Internet
Author: User

Some time ago, the tester reported a flash xss bug. After analysis, the program that uses Loader. loadBytes and does not do data stream format validation will be recruited. The self-testing method only needs one line of code:

ExternalInterface.call('alert', ‘msg from flash’);

After compilation, change the suffix to jpg, png, and other image formats. Select the first Image Upload method on the Sina Weibo website ......

Although users generally do not upload images of unknown origins, they are curious about how to prevent them. The file format determined by the type of the Flash FileReference is very primitive, but it is really determined by the file suffix, so it is obvious that there will be problems with changing the suffix ......

The solution is to read the real format data in the data stream. Use winHex to view the file streams of various images. The variable length of the file header (24-to 64-bit binary data) is the data block that identifies the file format. Therefore, you can use ByteArray to read this part of data to determine the file format. The formats of images to be identified are fixed. Therefore, only the first 24-bit binary data can be used to determine the formats.

Code:

 
Var file: FileReference = new FileReference (); var fileFilter: FileFilter = new FileFilter ('image file :(*. jpg ,*. jpeg ,*. gif ,*. png ,*. bmp )','*. jpg ;*. jpeg ;*. gif ;*. png ;*. bmp '); stage. addEventListener (MouseEvent. CLICK, function (evt: MouseEvent) {file. browse ([fileFilter]) ;}); file. addEventListener (Event. SELECT, function (evt: Event) {file. addEventListener (Event. COMPLETE, onLoadCpl); file. load () ;}); function onLoadCpl (evt: Event): void {file. removeEventListener (Event. COMPLETE, onLoadCpl); var byteArray: ByteArray = evt.tar get. data as ByteArray; var fileTypeHex: String = byteArray. readUnsignedByte (). toString (16) + byteArray. readUnsignedByte (). toString (16) + byteArray. readUnsignedByte (). toString (16); trace (fileTypeHex ); if (fileTypeHex = 'ffd8ff' | fileTypeHex = '89504e '| fileTypeHex = '000000' | fileTypeHex = 'include8 ') {// hex loadByte (byteArray) of jpg & jpeg, png, gif, and bmp;} else {trace ('file format incorrect ');}} function loadByte (byteArray: ByteArray): void {var loader: Loader = new Loader (); // loader. contentLoaderInfo. addEventListener (Event. COMPLETE, function (e: Event) {}); // load the image loader. loadBytes (byteArray );}

Compare the file data read using winHex:

Jpg & jpeg:

 

Png:

Gif:

Bmp:

 

Completely consistent. Success ~

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.