TUCoPS :: Web :: General :: web5423.htm

Flash with embedded Javascript bypass all browser & web sites protections for CSS
11th Jun 2002 [SBWID-5423]

	Flash with embeeded  Javascript  bypass  all  browser  &  web  sites
	protections for CSS


	All web sites allowing users to upload flash


	Obscure from EyeonSecurity [http://eyeonsecurity.net/] found  a  way  to
	use flash in cross site scripting.




	In this document  we  will  be  describing  a  loophole,  with  security
	implications, found in many websites that allow Flash  documents  to  be
	inserted within HTML, or uploaded to the server. This  paper  relies  on
	the fact that a huge number of web  surfers  have  installed  Macromedia
	Flash plugin/ActiveX control, for an attacker  to  launch  a  Cross-site
	scripting attack. We will not go into a  lot  of  detail  in  describing
	Cross-site scripting attacks in  general;  However  we  hope  that  this
	paper will explain how Flash documents can be used to inject  JavaScript
	into otherwise well filtered Web Applications.

	See http://eyeonsecurity.net/papers/flash-xss.htm for more.


	Web sites should filter  getURL() in uploaded flash objects.

	see paper for more details.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH