XSS (Cross-site Scripting) and Flash

Last Modified: Wed, 23 Jan 2013 22:54:19 +0000 ; Created: Wed, 23 Jan 2013 22:54:19 +0000

So in my security work I have been running more and more into sites that use Flash players they obtain from some vendor (sometimes free sometimes paid). These flash players accept parameters via the URL string and commonly fail to actual validate the input and encoding.

This typically results in XSS allowing at attacker to hijack the user's session or present their own content.

I also typically run into issues where video players will load anything full-screen. The site owners don't realize someone can use their domain name to show any content they want and so they fail to restrict this or the player doesn't support restricting what URL it loads content from.

Finding sites with vulnerable players is as easy as an advanced Google search too.