Naziv
|
Flash Injection
|
Sažetak
|
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
|
Preduvjeti
|
The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.
|
Rješenja
|
['Implementation: remove sensitive information such as user name and password in the SWF file.', 'Implementation: use validation on both client and server side.', 'Implementation: remove debug information.', 'Implementation: use SSL when loading external data', 'Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.']
|