CAPEC-182

Standard Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: High Severity: Medium
Flash Injection

Description

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

Prerequisites

The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.

Mitigations

Implementation: remove sensitive information such as user name and password in the SWF file.

Implementation: use validation on both client and server side.

Implementation: remove debug information.

Implementation: use SSL when loading external data

Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.

Skills Required

[Medium] The attacker needs to have knowledge of Flash, especially how to insert content the executes commands.