Cross Domain Hijacking - File Upload Vulnerability

2,283 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,283
On SlideShare
0
From Embeds
0
Number of Embeds
913
Actions
Shares
0
Downloads
25
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Cross Domain Hijacking - File Upload Vulnerability

  1. 1. – https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_%28OWA SP-DV-004%29 – https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project
  2. 2. • Formerly called " ", relabeled as " " since 2005 • Streaming animation for web pages • Can be a portion of an html web page or an entire web page • Flash files are called "Flash movies“ and are format files • Offers two very special web browsing experiences: – Very fast loading – Vector animation with interactivity
  3. 3. • A is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat permissions to allow data to be handled not only within the current Domain but to other Domains www.Domain2.conwww.Domain1.con www.Domain3.con
  4. 4. • The value of this setting determines the script access to the SWF • Possible values: – No script access allowed (Deprecated) –SWF from same domain have script access – SWFs from external domains also have script access –
  5. 5. • These days a lot of websites allow users to upload files, but many don’t know about the unknown pitfalls of letting users (potential attackers) upload files, even valid files • What’s a valid file? Usually, a restriction would be on two parameters: – The uploaded file extension – The uploaded Content-Type. • For example, the web application could check that the extension is “ ” and the Content-Type “ ” to make sure it’s impossible to upload malicious files. Right?
  6. 6. • The problem is that plugins like Flash doesn’t care about extension and . • If a file is embedded using an tag, it will be executed as a Flash file as long as the content of the file looks like a valid Flash file • But wait a minute! Shouldn’t the Flash be executed within the domain that embeds the file using the tag? • Yes and No • If a Flash file (bogus image file) is uploaded on and then embedded at , the Flash file can execute JavaScript within the domain of • However, if the Flash file sends requests, it will be allowed to read files within the domain of
  7. 7. • Attacker creates a malicious and then changes the file extension to • The attacker uploads the file to • The attacker embeds the file on • The victim visits and loads the file • Attacker can now send and receive arbitrary requests to
  8. 8. • Interact with files of the victim’s website by using current user’s cookies • Execute JavaScript, • Communicate with its source domain without checking the cross-domain policy • Use the Flash file to send requests and to read files from the domain of
  9. 9. • Attacker sets within the file the as " “ • SWF file can communicate with the HTML page in which it is embedded • As we know the SWF file is from a different domain than the HTML page pass arguments to a Flash file embedded inside an HTML page • Here it specifies a known file within the that would be read by the
  10. 10. "height:1px;width:1px;" data="http://victim.com/user/2292/profilepicture.jpg" type="application/x-shockwave-flash" "
  11. 11. • " " • Means that any security functions are actively turned off: – Embedded content has full access too, and control over the embedding site
  12. 12. • Three possible values: • The " " and " " values unconditionally turn JavaScript access on or off for the SWF file • The " " value turns JavaScript access on only if the SWF file is served from the same domain and hostname as its surrounding HTML file
  13. 13. • Slideshare.net provides a service that enables you to upload your presentations and share it with the public • Each presentation Slideshare offers a convenient HTML- code snippet that is ready to copy & paste it into your site • Here a shortened example: ="__sse763783" width="425" height="355"><param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=grant-presentation-1227010891051378- 9&stripped_title=welcome-to-ip-surveillance-101-presentation&userName=grantsupplies"><param name="allowFullScreen" value="true">
  14. 14. • YouTube video embedded
  15. 15. • Implement the Content-Disposition – This lets the user save the file to their computer and then decide how to use it, instead of the browser trying to use the file. • Parse the file to determine its content as well as sending a Content- Disposition header where applicable. • If possible isolate the domain of the uploaded files. • Use flash security mechanisms ,

×