[WEB SECURITY] Attacks via Flash

MustLive mustlive at websecurity.com.ua
Mon Sep 30 14:01:21 EDT 2013


Hello participants of Mailing List.

Different attack can be made via Flash. In 2010 in article Content
Spoofing attacks: Link Injection and Text Injection and in 2012 in article
Content Spoofing attacks: Content Injection and Site Injection
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-November/008614.html)
I told about different CS attacks, part of which concerned Flash. Also I
wrote in 2008, 2009 and 2010's articles XSS vulnerabilities in 215000 flash
files, XSS vulnerabilities in 8 millions flash files and XSS vulnerabilities
in 34 millions flash files about XSS attacks via flash banners and
tagcloud.swf (WP-Cumulus). Last week I wrote new article Attacks via Flash.
These topic should be interesting for you (especially for those, who haven't
read it before).

Attacks via Flash.
http://websecurity.com.ua/6794/

In the article I described different attacks via Flash. This is the list of
possible attacks on users and visitors of sites via flash plugin, which I
created already in December 2009.

* Remote Flash Inclusion.
* Remote Flash Injection.
* Cross-Site Scripting.
* Link Injection.
* Text Injection.
* Remote Audio Inclusion.
* Remote Video Inclusion.
* Remote Image Inclusion.
* Remote XML Inclusion.
* Denial of Service - via DoS vulnerabilities
(http://www.youtube.com/watch?v=3W_5jb17Aus) in flash-plugin
(http://www.youtube.com/watch?v=xi29KZ3LD80).
* Remote Code Execution - via vulnerabilities in flash-plugin
(http://www.youtube.com/watch?v=DnUhKF9RiuM).
* User tracking.
* Redirection.
* Malware spreading and phishing.

Attack on including audio, video and images I called in one term Content
Injection. And Remote XML Inclusion can be used as for Content Injection, as 
for Site Injection. About which I wrote in above-mentioned article.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 






More information about the websecurity mailing list