CAPEC-182: Flash Injection
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
Last updated
Overview
CAPEC-182 (Flash Injection) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Find Injection Entry Points] The attacker first takes an inventory of the entry points of the application.
- Spider the website for all available URLs that reference a Flash application.
- List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.
- Step 2Experiment
[Determine the application's susceptibility to Flash injection] Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.
- Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg
- Test the page using controlled evil page/host, http://example.com/evil.swf
- Test the page using Flash HTML injection, "'>