www.rodneybeede.com "I would love to change the world, but they won't give me the source code" - unknown
 Navigation

XSS (Cross-site Scripting) and Flash - Last Modified 2013-01-23 22:54 UTC - Created 2013-01-23 22:54 UTC

So in my security work I have been running more and more into sites that use Flash players they obtain from some vendor (sometimes free sometimes paid). These flash players accept parameters via the URL string and commonly fail to actual validate the input and encoding.

This typically results in XSS allowing at attacker to hijack the user's session or present their own content.

I also typically run into issues where video players will load anything full-screen. The site owners don't realize someone can use their domain name to show any content they want and so they fail to restrict this or the player doesn't support restricting what URL it loads content from.

Finding sites with vulnerable players is as easy as an advanced Google search too.