Monday, February 04, 2008

Flash-based XSS Attacks

Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Abobe Contribute (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia.
These flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).

Cross Site Scripting (XSS) is an attack on users of a web application. If a web application is vulnerable to XSS, and an attacker lures a user of the vulnerable web application to click on a link, then the attacker gains complete control of the user's session in the web application. The attacker can use JavaScript to perform any action on behalf of the user (for example, perform a transaction on an online banking system) or change the way the website appears to the user (for example, perform a phishing attack).

The best solution to prevent these attacks so far is using Firefox with NoScript, which:

  1. Blocks Flash (and other plugins) by default when the content comes from an untrusted web site
  2. Blocks Flash (and other plugins) by default when content from a trusted website is embedded in an untrusted page - this prevents embedded Flash XSS
  3. Checks cross sites requests for script injection and sanitizes them as needed. This way it prevents reflected XSS, included the Flash variants
The advantage of this approach is that you can allow individual blocked content pieces with a click, having a chance to examine their types and full addresses before running them.
Most recent NoScript versions ship with Flash, Silverlight and all the other plugin content handlers (e.g. the Quicktime plugin) disabled by default on unknown sites in order to prevent Flash-based XSS and other plugin-based attacks.
You will still able to enjoy multimedia content either automatically, if it comes from trusted sites, or by selectively enabling clips and applets.

More Info:
Cross-site scripting from Wikipedia

No comments: