Analyzing and Detecting Malicious Flash Advertisements
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
An automatic HTTP cookie management system
Computer Networks: The International Journal of Computer and Telecommunications Networking
FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications
Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security
| Hi-index | 0.00 |
Flash objects are widely embedded in web pages, supporting Rich Internet Applications using ActionScript. However, according to our survey, many Flash objects are seriously exposed to Cross-site Scripting vulnerabilities as they are usually coded without proper sanitization of their inputs. This becomes a potential danger for cyber users. In this paper, we analyze XSS in online Flash and present an engine FXD (Flash XSS Detector) for automatically scrambling Flash files in web pages and checking whether or not they are vulnerable to XSS. We call vulnerable ActionScript functions "key functions" and divide them into four categories by its functionality. The usability of FXD is further evaluated by disposing it in real-world websites. Our results reveal that at least 48 Flash applications in 18% of Alexa top 100 sites on the web are vulnerable to XSS. Each of these vulnerable Flash objects has been verified and confirmed of their XSS flaws. Finally, we discuss a new trend of Flash XSS, nowadays it is mainly caused by combination of key functions in different categories.