Bypassing JavaScript Filters – the Flash! Attack.pdfVIP

[Bypassing JavaScript Filters – the Flash! Attack] last updated: 25.August.2002 Obscure [obscure@] / Copyright © 2001,2002 EyeonSecurity, Redistribution of this document is permitted as long as the contents are not changed and this copyright notice is included. [INTRODUCTION TO THE FLASH! ATTACK] 3 [CURRENT WEB APPLICATIONS AND CROSS-SITE SCRIPTING]3 [PREVENTING CROSS-SITE SCRIPTING ATTACKS]3 [THE FLASH! ATTACK] 4 [VULNERABLE SITE AND SOFTWARE EXAMPLES] 5 [FIXING THE ISSUE]8 [DEMO! ON EYEONSECURITY.NET] 11 [REFERENCES]12 [THANKS] 13 [Introduction to the Flash! attack] In this document we will be describing a loophole, with security implications, found in many websites that allow Flash documents to be inserted within HTML, or uploaded to the server. This paper relies on the fact that a huge number of web surfers have installed Macromedia Flash plugin/ActiveX control, for an attacker to launch a Cross-site scripting attack. We will not go into a lot of detail in describing Cross-site scripting attacks in general; However we hope that this paper will explain how Flash documents can be used to inject JavaScript into otherwise well filtered Web Applications. [Current web applications and cross-site scripting] Web Applications consist of non-static web sites, which allow users to interact with the site itself1. Examples of such sites include Hotmail, Yahoo, MSN communities and a long list of other sites. Most of the times, this interaction involves users being authenticated, to provide a multi-user environment. In an online community such as deviantART2 , each member has his own section and web space, where he or she can upload artistic material, such as poetry, graphics (usually jpg format), photography, and of course, Flash movies. Logged on users (as well as anonymous ones) can also view