CAPEC-182
Description
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
Prerequisites
The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.
Mitigations
Implementation: remove sensitive information such as user name and password in the SWF file.
Implementation: use validation on both client and server side.
Implementation: remove debug information.
Implementation: use SSL when loading external data
Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.
Skills Required
[Medium] The attacker needs to have knowledge of Flash, especially how to insert content the executes commands.