Macromedia Flash has its own built in scripting language. ActionScript[6] (the scripting language) seems very simple to seasoned JavaScript coders as it uses a very similar syntax to JavaScript, C and PERL. However this same language can be used for complex animations, simulations, creation of games etc.. What’s interesting for us is the getURL() action[7]. This function allows us to redirect the end user to another page. The parameter would usually be a URL; something like “http://eyeonsecurity.net”, so that the script looks like this:
getURL(“http://eyeonsecurity.net”)
Suppose we specify a java script: URL instead:
getURL(“java script:alert(document.cookie)”)
The above example pops up a JavaScript alert box with the cookie belonging to the domain hosting the page that displays the flash document. This means that we have successfully injected JavaScript by making use of “features” within Internet Explorer and Flash. In the example Flash file we insert script similar to the above in the first frame as shown in the screenshot.
[Example sites and software vulnerable to the Flash! Attack]
Ezboard (http://www.ezboard.com/) is probably one of the best well-known free online Bulletin Board Systems around. This BBS which is HTTP-based, allows its users to have their signatures in flash by making use of the EMBED tag. Therefore in our tests we edit our preferences and specify the following code in the signature:
精品推荐