Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: General :: web5423.htm

Flash with embedded Javascript bypass all browser & web sites protections for CSS
11th Jun 2002 [SBWID-5423]

	Flash with embeeded  Javascript  bypass  all  browser  &  web  sites
	protections for CSS


	All web sites allowing users to upload flash


	Obscure from EyeonSecurity [] found  a  way  to
	use flash in cross site scripting.




	In this document  we  will  be  describing  a  loophole,  with  security
	implications, found in many websites that allow Flash  documents  to  be
	inserted within HTML, or uploaded to the server. This  paper  relies  on
	the fact that a huge number of web  surfers  have  installed  Macromedia
	Flash plugin/ActiveX control, for an attacker  to  launch  a  Cross-site
	scripting attack. We will not go into a  lot  of  detail  in  describing
	Cross-site scripting attacks in  general;  However  we  hope  that  this
	paper will explain how Flash documents can be used to inject  JavaScript
	into otherwise well filtered Web Applications.

	See for more.


	Web sites should filter  getURL() in uploaded flash objects.

	see paper for more details.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH