Kingdom: Security Features

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Flash Bad Practices: Insecure Embedded SWF Settings

Abstract
Granting overly excessive permissions might allow a malicious flash application to transmit sensitive information to an arbitrary remote site.
Explanation
When a Flash application is embedded within HTML, there are several flags that inform the Flash player if the SWF file can have access to content from the browser or from the network.
- AllowScriptAccess
This flag tells the Flash player to allow the SWF to communicate with the browser and HTML DOM using ExternalInterface, fscommand or getURL.
- AllowNetworkingAccess
This flag informs the Flash player that it is allowed to make networking calls like XML.load, loadVariables, LoadVars.load etc. If a Flash application should not communicate with the browser or needs to make any networking calls, the AllowNetworkingAccess tag must be set to "none".
1. If a Flash application should not communicate with the browser or needs to make any networking calls, the AllowNetworkingAccess tag must be set to "none".
2. If a Flash application should not communicate with the browser but needs to make networking calls, the AllowNetworkingAccess tag should be set to "internal".
3. If a Flash application needs to communicate with both the browser and the network, the AllowNetworkingAccess tag must be set to "all".
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 250
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [24] CWE ID 269
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 10.2.2 Malicious Code Search (L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[23] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.dynamic.actionscript.flash_bad_practices_insecure_embedded_swf_settings