Kingdom: Input Validation and Representation
Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
Cross-Site Flashing
Abstract
The program uses unvalidated user input to load a SWF file, which can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.
Explanation
Flash APIs provide an interface for loading remote SWF files into the existing execution environment. Even though the cross-domain policy only allows to load SWF files from a list of trusted domains, more often than not the defined cross-domain policy is overly permissive. Allowing untrusted user input to define which SWF files to load can lead to arbitrary content being referenced and possibly executed by the targeted application, resulting in a cross-site flashing attack.
Cross-site flashing vulnerabilities occur when:
1. Data enters an application from an untrusted source.
2. The data is used to load a remote SWF file.
Example: The following code uses the value of one of the parameters to the loaded SWF file as the URL to load a remote SWF file from.
Cross-site flashing vulnerabilities occur when:
1. Data enters an application from an untrusted source.
2. The data is used to load a remote SWF file.
Example: The following code uses the value of one of the parameters to the loaded SWF file as the URL to load a remote SWF file from.
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var url:String = String(params["url"]);
var ldr:Loader = new Loader();
var urlReq:URLRequest = new URLRequest(url);
ldr.load(urlReq);
...
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - Common Weakness Enumeration CWE ID 494, CWE ID 829
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code, SI-10 Information Input Validation
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.3 Dependency (L1 L2 L3), 14.2.4 Dependency (L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[24] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 494
[25] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 494
[26] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 494, Risky Resource Management - CWE ID 829
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-003300 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.actionscript.cross_site_flashing