Name Flash Injection
Summary An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
Prerequisites The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.
Solutions Implementation: remove sensitive information such as user name and password in the SWF file. Implementation: use validation on both client and server side. Implementation: remove debug information. Implementation: use SSL when loading external data Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.
Related Weaknesses
CWE ID Description
CWE-20 Improper Input Validation
CWE-184 Incomplete Blacklist
CWE-697 Insufficient Comparison
Back to Top