3. – https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_%28OWA
SP-DV-004%29
– https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project

4. • Formerly called " ", relabeled as " "
since 2005
• Streaming animation for web pages
• Can be a portion of an html web page or an entire web page
• Flash files are called "Flash movies“ and are format files
• Offers two very special web browsing experiences:
– Very fast loading
– Vector animation with interactivity

5. • A is an XML document that grants a web client, such as
Adobe Flash Player or Adobe Acrobat permissions to allow data to be handled not
only within the current Domain but to other Domains
www.Domain2.conwww.Domain1.con
www.Domain3.con

6. • The value of this setting determines the
script access to the SWF
• Possible values:
– No script access allowed
(Deprecated)
–SWF from same domain
have script access
– SWFs from external domains
also have script access –

7. • These days a lot of websites allow users to upload files, but
many don’t know about the unknown pitfalls of letting
users (potential attackers) upload files, even valid files
• What’s a valid file? Usually, a restriction would be on two
parameters:
– The uploaded file extension
– The uploaded Content-Type.
• For example, the web application could check that the
extension is “ ” and the Content-Type “ ” to
make sure it’s impossible to upload malicious files. Right?

8. • The problem is that plugins like Flash doesn’t care about extension and
.
• If a file is embedded using an tag, it will be executed as a Flash
file as long as the content of the file looks like a valid Flash file
• But wait a minute! Shouldn’t the Flash be executed within the domain
that embeds the file using the tag?
• Yes and No
• If a Flash file (bogus image file) is uploaded on and
then embedded at , the Flash file can execute
JavaScript within the domain of
• However, if the Flash file sends requests, it will be allowed to read files
within the domain of

9. • Attacker creates a malicious
and then changes the file extension to
• The attacker uploads the file to
• The attacker embeds the file on
• The victim visits and loads
the file
• Attacker can now send and receive arbitrary
requests to

10. • Interact with files of the victim’s website by using
current user’s cookies
• Execute JavaScript,
• Communicate with its source domain without
checking the cross-domain policy
• Use the Flash file to send requests and to read
files from the domain of

11. • Attacker sets within the file the as " “
• SWF file can communicate with the HTML page in which it is
embedded
• As we know the SWF file is from a different domain than the
HTML page
pass arguments to a Flash file embedded inside an
HTML page
• Here it specifies a known file within the that
would be read by the

12. "height:1px;width:1px;"
data="http://victim.com/user/2292/profilepicture.jpg"
type="application/x-shockwave-flash" "

13. • " "
• Means that any security functions are actively
turned off:
– Embedded content has full access too, and control
over the embedding site

14. • Three possible values:
• The " " and " " values unconditionally turn
JavaScript access on or off for the SWF file
• The " " value turns JavaScript access on
only if the SWF file is served from the same domain
and hostname as its surrounding HTML file

15. • Slideshare.net provides a service that enables you to
upload your presentations and share it with the public
• Each presentation Slideshare offers a convenient HTML-
code snippet that is ready to copy & paste it into your site
• Here a shortened example:
="__sse763783" width="425" height="355"><param name="movie"
value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=grant-presentation-1227010891051378-
9&stripped_title=welcome-to-ip-surveillance-101-presentation&userName=grantsupplies"><param
name="allowFullScreen" value="true">

16. • YouTube video embedded

17. • Implement the Content-Disposition
– This lets the user save the file to their computer and then decide how
to use it, instead of the browser trying to use the file.
• Parse the file to determine its content as well as sending a Content-
Disposition header where applicable.
• If possible isolate the domain of the uploaded files.
• Use flash security mechanisms ,