Flash applications are a proprietary format for delivering multimedia content developed by Adobe (Macromedia) that mostly consists of graphics/audio and ActionScript code. The ultimate output of a Flash program is typically a video clip, advertising banner, or online game. This format is extensively used on the Internet: YouTube utilizes Flash to distribute its material and, more significantly, allows users to submit their own content, which is not always constructed with security in mind.
Flash apps may run independently or be incorporated into HTML sites. Under certain conditions, security experts such as Stefano Di-Paola and Mike Bailey have demonstrated that Flash programs may be used to perform cross-site scripting attacks that allow attackers to view and manipulate Flash settings.
The ability of Flash applications to execute script code (JavaScript, HTML, etc.) when a Flash object is embedded in an HTML page and loaded within the browser is the basic premise for exploiting Flash parameters to enable XSS. Furthermore, Flash apps may be used to falsify binary and HTTP requests as well as execute other external Flash programs, providing further avenues for XSS attacks.
Reflected XSS through Flash Parameter Injection (FPI)
There are various ways to activate XSS via FPI, and depending on the conditions and vulnerabilities in the Flash application, the attacker can carry out the full range of cross-site scripting attacks: DOM-based XSS, Reflected (Non-Persistent) XSS, or Stored (Persistent) XSS.
a) Misuse of GetURL() function (In general, preventing such vulnerabilities entails properly initializing user input variables and/or validating the input supplied to ensure that it is a legitimate URL.)
b) HTML in text fields (Another injection point that might be abused is the insecure use of text fields in ActionScript.)
c) Other methods (loadMovie(), asfunction())
Persistent Cross-Site Scripting through FPI
While the examples above illustrate Non-Persistent XSS attacks conducted with FPI, Persistent XSS may also be accomplished by injecting malicious code into susceptible Flash programs that employ Flash shared objects (or Flash cookies) to store server-side, user-input data. In this case, the assault would be launched every time the Flash program was launched. A typical Flash application that is vulnerable to Persistent XSS would be one that reads data from shared objects via an undefined variable and then delivers it as an input to the GetURL() method without sufficient parsing and sanitization.
Remediation
Cross-site scripting may be avoided, as with non-Flash objects, by ensuring that the ActionScript code parses and sanitizes external input given as an argument for susceptible methods. Simultaneously, developers can employ encoding functionality to prevent malicious scripts from being run.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.