Cross Domain Hijacking - File Upload Vulnerability
Download as PPTX, PDF4 likes4,279 views
- Flash files can be embedded across domains which allows them to execute JavaScript and access files outside their intended origin domain if vulnerabilities exist. This poses a security risk if untrusted users can upload Flash files. - Uploaded files are not restricted by file extension or MIME type when embedded with Flash, so a malicious file of any type could be executed as Flash if the content is valid. - Attackers can exploit this by uploading a disguised malicious Flash file and embedding it on another site, allowing it to access that domain's cookies and files through cross-domain requests. Proper security settings and file validation are needed to prevent this risk.
Cross Domain Hijacking - File Upload Vulnerability
- 4. • Formerly called " ", relabeled as " " since 2005 • Streaming animation for web pages • Can be a portion of an html web page or an entire web page • Flash files are called "Flash movies“ and are format files • Offers two very special web browsing experiences: – Very fast loading – Vector animation with interactivity
- 5. • A is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat permissions to allow data to be handled not only within the current Domain but to other Domains www.Domain2.conwww.Domain1.con www.Domain3.con
- 6. • The value of this setting determines the script access to the SWF • Possible values: – No script access allowed (Deprecated) –SWF from same domain have script access – SWFs from external domains also have script access –
- 7. • These days a lot of websites allow users to upload files, but many don’t know about the unknown pitfalls of letting users (potential attackers) upload files, even valid files • What’s a valid file? Usually, a restriction would be on two parameters: – The uploaded file extension – The uploaded Content-Type. • For example, the web application could check that the extension is “ ” and the Content-Type “ ” to make sure it’s impossible to upload malicious files. Right?
- 8. • The problem is that plugins like Flash doesn’t care about extension and . • If a file is embedded using an tag, it will be executed as a Flash file as long as the content of the file looks like a valid Flash file • But wait a minute! Shouldn’t the Flash be executed within the domain that embeds the file using the tag? • Yes and No • If a Flash file (bogus image file) is uploaded on and then embedded at , the Flash file can execute JavaScript within the domain of • However, if the Flash file sends requests, it will be allowed to read files within the domain of
- 9. • Attacker creates a malicious and then changes the file extension to • The attacker uploads the file to • The attacker embeds the file on • The victim visits and loads the file • Attacker can now send and receive arbitrary requests to
- 10. • Interact with files of the victim’s website by using current user’s cookies • Execute JavaScript, • Communicate with its source domain without checking the cross-domain policy • Use the Flash file to send requests and to read files from the domain of
- 11. • Attacker sets within the file the as " “ • SWF file can communicate with the HTML page in which it is embedded • As we know the SWF file is from a different domain than the HTML page pass arguments to a Flash file embedded inside an HTML page • Here it specifies a known file within the that would be read by the
- 13. • " " • Means that any security functions are actively turned off: – Embedded content has full access too, and control over the embedding site
- 14. • Three possible values: • The " " and " " values unconditionally turn JavaScript access on or off for the SWF file • The " " value turns JavaScript access on only if the SWF file is served from the same domain and hostname as its surrounding HTML file
- 15. • Slideshare.net provides a service that enables you to upload your presentations and share it with the public • Each presentation Slideshare offers a convenient HTML- code snippet that is ready to copy & paste it into your site • Here a shortened example: ="__sse763783" width="425" height="355"><param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=grant-presentation-1227010891051378- 9&stripped_title=welcome-to-ip-surveillance-101-presentation&userName=grantsupplies"><param name="allowFullScreen" value="true">
- 16. • YouTube video embedded
- 17. • Implement the Content-Disposition – This lets the user save the file to their computer and then decide how to use it, instead of the browser trying to use the file. • Parse the file to determine its content as well as sending a Content- Disposition header where applicable. • If possible isolate the domain of the uploaded files. • Use flash security mechanisms ,