Successfully reported this slideshow.
You’ve unlocked unlimited downloads on SlideShare!
• Formerly called " ", relabeled as " "
• Streaming animation for web pages
• Can be a portion of an html web page or an entire web page
• Flash files are called "Flash movies“ and are format files
• Offers two very special web browsing experiences:
– Very fast loading
– Vector animation with interactivity
• A is an XML document that grants a web client, such as
Adobe Flash Player or Adobe Acrobat permissions to allow data to be handled not
only within the current Domain but to other Domains
• The value of this setting determines the
script access to the SWF
• Possible values:
– No script access allowed
–SWF from same domain
have script access
– SWFs from external domains
also have script access –
• These days a lot of websites allow users to upload files, but
many don’t know about the unknown pitfalls of letting
users (potential attackers) upload files, even valid files
• What’s a valid file? Usually, a restriction would be on two
– The uploaded file extension
– The uploaded Content-Type.
• For example, the web application could check that the
extension is “ ” and the Content-Type “ ” to
make sure it’s impossible to upload malicious files. Right?
• The problem is that plugins like Flash doesn’t care about extension and
• If a file is embedded using an tag, it will be executed as a Flash
file as long as the content of the file looks like a valid Flash file
• But wait a minute! Shouldn’t the Flash be executed within the domain
that embeds the file using the tag?
• Yes and No
• If a Flash file (bogus image file) is uploaded on and
then embedded at , the Flash file can execute
• However, if the Flash file sends requests, it will be allowed to read files
within the domain of
• Attacker creates a malicious
and then changes the file extension to
• The attacker uploads the file to
• The attacker embeds the file on
• The victim visits and loads
• Attacker can now send and receive arbitrary
• Interact with files of the victim’s website by using
current user’s cookies
• Communicate with its source domain without
checking the cross-domain policy
• Use the Flash file to send requests and to read
files from the domain of
• Attacker sets within the file the as " “
• SWF file can communicate with the HTML page in which it is
• As we know the SWF file is from a different domain than the
pass arguments to a Flash file embedded inside an
• Here it specifies a known file within the that
would be read by the
• " "
• Means that any security functions are actively
– Embedded content has full access too, and control
over the embedding site
• Three possible values:
• The " " and " " values unconditionally turn
only if the SWF file is served from the same domain
and hostname as its surrounding HTML file
• Slideshare.net provides a service that enables you to
upload your presentations and share it with the public
• Each presentation Slideshare offers a convenient HTML-
code snippet that is ready to copy & paste it into your site
• Here a shortened example:
="__sse763783" width="425" height="355"><param name="movie"
• Implement the Content-Disposition
– This lets the user save the file to their computer and then decide how
to use it, instead of the browser trying to use the file.
• Parse the file to determine its content as well as sending a Content-
Disposition header where applicable.
• If possible isolate the domain of the uploaded files.
• Use flash security mechanisms ,