|Name ||Flash Injection |
|Summary ||An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker. |
|Prerequisites ||The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link. |
|Solutions ||Implementation: remove sensitive information such as user name and password in the SWF file.
Implementation: use validation on both client and server side.
Implementation: remove debug information.
Implementation: use SSL when loading external data
Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain. |
|CWE ID ||Description |
|CWE-20 ||Improper Input Validation |
|CWE-184 ||Incomplete Blacklist |
|CWE-697 ||Insufficient Comparison |