mailing list archives
Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash"
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Thu, 27 Jul 2006 07:52:04 +0200
On 26 Jul 2006 at 22:43, 3CO wrote:
FYI Flash9 added a new property for object and embed tags to prevent
this technique from being used: "allowNetworking":
That page doesn't explicitly list LoadVars as being disallowed, but I
just tested, and it is true.
The way I understand that help page, allowNetworking is part of the OBJECT/EMBED tag. Now,
keep in mind that in the attack vectors described in my paper, the victim user/browser
visits a malicious site (e.g. by clicking a malicious link), so the way Flash is invoked
is completely controlled by the attacker (either the attacker provides the Flash object
directly, by a link ending with ".swf", or the attacker provides a link to an HTML page
containing an OBJECT/EMBED tag). And the attacker would surely not include the
allowNetworking attribute in his/her page ;-)
For instance, Myspace has added that to all embed tags to prevent fun
That's a different story. MySpace faces a much more complex situation, wherein the attacker
may very well be a user in MySpace allowed to upload HTML pages and Flash objects/links to
MySpace. In MySpace's context, allowNetworking may be more relevant.
Great paper though (as usual); thanks.
Thanks for reading :-)