[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] JavaScript Code Flow Manipulation & Adobe Flex 3 DOM-based XSS Vulnerability

From: Ory Segal <SEGALORY@xxxxxxxxxx>
Subject: [WEB SECURITY] JavaScript Code Flow Manipulation & Adobe Flex 3 DOM-based XSS Vulnerability
Date: Wed, 18 Jun 2008 09:51:32 +0300

--=_alternative 0025BC48C225746C_=
Content-Type: text/plain; charset="US-ASCII"

Hi,

I have published a blog post on a new Adobe Flex 3 DOM-based XSS 
vulnerability that we have found. The post also discusses an interesting 
JavaScript code flow manipulation technique, which was used in order to 
turn a somewhat benign vulnerability, into something more serious. 

Here's an excerpt from the prologue of the post:

"We recently researched an interesting DOM-based XSS vulnerability in 
Adobe Flex 3 applications that exploits a scenario in which two frames 
(parent & son) interact with each other, without properly validating their 
execution environment. In our research, we have seen that in some cases, 
it is possible to manipulate JavaScript code flow, by controlling the 
environment in which it runs. Specifically, we managed to return 
hacker-controlled Boolean values to conditional statements, and by that 
force the application to be vulnerable to an existing DOM-based XSS, which 
was otherwise unexploitable. The advisory presented herein, is a real 
world example of the research mentioned above, and contains two XSS 
variants. The second of which, makes use of the JavaScript Flow 
Manipulation technique."

You can find the entire text at our blog: 
http://blog.watchfire.com/wfblog/2008/06/javascript-code.html 

-Ory Segal
--=_alternative 0025BC48C225746C_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="sans-serif">Hi,</font>
<br>
<br><font size=2 face="sans-serif">I have published a blog post on a new
Adobe Flex 3 DOM-based XSS vulnerability that we have found. The post also
discusses an interesting JavaScript code flow manipulation technique, which
was used in order to turn a somewhat benign vulnerability, into something
more serious. </font>
<br>
<br><font size=2 face="sans-serif">Here's an excerpt from the prologue
of the post:</font>
<br>
<br><font size=2 face="sans-serif">&quot;<i>We recently researched an interesting
DOM-based XSS vulnerability in Adobe Flex 3 applications that exploits
a scenario in which two frames (parent &amp; son) interact with each other,
without properly validating their execution environment. In our research,
we have seen that in some cases, it is possible to manipulate JavaScript
code flow, by controlling the environment in which it runs. Specifically,
we managed to return hacker-controlled Boolean values to conditional statements,
and by that force the application to be vulnerable to an existing DOM-based
XSS, which was otherwise unexploitable. The advisory presented herein,
is a real world example of the research mentioned above, and contains two
XSS variants. The second of which, makes use of the JavaScript Flow Manipulation
technique</i>.&quot;</font>
<br>
<br><font size=2 face="sans-serif">You can find the entire text at our
blog: </font><a href="http://blog.watchfire.com/wfblog/2008/06/javascript-code.html";><font size=2 face="sans-serif">http://blog.watchfire.com/wfblog/2008/06/javascript-code.html</font></a><font size=2 face="sans-serif">
</font>
<br>
<br><font size=2 face="sans-serif">-Ory Segal</font>
--=_alternative 0025BC48C225746C_=--

Prev by Date: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Next by Date: RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?
Previous by thread: [Fwd: Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?]
Next by thread: [WEB SECURITY] The Extended HTML Form attack revisited
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site