flex - How vunerable to XSS attacks is Flash? -

-

the reason why ask i'm telling vendor of ours have use ms antixss library asp.net ui components make, work flex build flash based uis - , wondering if there's equivalent flash (assuming it's vunerable).

the short answer is: flash player has lot of features in place prevent xss attacks, they're built in player itself, there isn't particular library need use. if don't call security-related apis, , don't put config files on server, security-wise, using restrictive settings available. (assuming pay attention how make use of user input.)

more generally, apis have potential lead xss vulnerabilities rule disabled in xss situations unless actively enable them. example, if html page on site loads in flash file site, , flash content tries to, say, make javascript calls page, calls blocked default unless allow them. similarly, if flash content on site loads in components site, components not able introspect parent unless call apis allow them to. there various restrictions on happens when site tries load in flash content site without having allowed it.

for details, highly recommend excellent overview:

with said, since asked sanitizing user inputs, it's worth noting since as3 has no equivalent of eval command there never question of user input being executed script. however, user input relates content being loaded vector of xss attack. (for example, if append user-input string url load, user cause site load in malicious swf.) such case no different situation load in benign 3rd-party swf, , later replaces malicious content. hence in context of flash, protecting against xss attacks not sanitizing user input making sure externally loaded contents not granted permission run if locally trusted.

and further, since it's useful or necessary relax default restrictions if want interesting 3rd-party content (like flash avatars, components, or banner ads), in situations it's important site admin understand allowing, , how prevent relaxed restrictions exposing vulnerability.


Comments

Post a Comment

Popular posts from this blog

ASP.NET/SQL find the element ID and update database -

-
basically i've got update query runs when click submit button. i have asp:repeater in page layer inside this <asp:repeater id="dgbookings" runat="server" onitemdatabound="itemdb"> <itemtemplate> <div class="bookingscontent"> <div class="bookingdetails" id="<%# databinder.eval(container.dataitem, "booking_ref") %>"> <p class="infotext"><%# databinder.eval(container.dataitem, "adults") %> <asp:linkbutton onclick="editdetails" text="edit..." runat="server"></asp:linkbutton></p> <p class="infotext"><asp:linkbutton onclick="submitdetails" text="submit..." runat="server"></asp:linkbutton></p> </div> </div> </itemtemplate> <asp:repeater> and outputs ...
Read more

jquery - appear modal windows bottom -

-
i have modal windows in application, work fine <div id="modal" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="mymodallabel" aria-hidden="true"> but when modal appears, appear top of windows, , want appear bottom the application joomla 3.0! , using template of meet gavern any idea? i found solution i modified de css in bootstrap .modal.fade { top:-25%; -webkit-transition:opacity .3s linear, bottom .3s ease-out; -moz-transition:opacity .3s linear, bottom .3s ease-out; -ms-transition:opacity .3s linear, bottom .3s ease-out; -o-transition:opacity .3s linear, bottom .3s ease-out; transition:opacity .3s linear, bottom .3s ease-out; }
Read more

c++ - Compiling static TagLib 1.6.3 libraries for Windows -

-
i having super hard time compiling , using taglib 1.6.3 in qt project. i've tried can think of. taglib claims supported through cmake i'm not having luck. furthermore, i'm confused kinds of files need qt libs! i've built *.a files, *.lib, , *.dll. understand far... believe since i'm working in windows *.lib want. no matter do, end "undefined references" taglib functions try use when try compile qt project. have tried mingw32, msys, visual studio 2008, , cross-compiling windows on linux. turning nothing. what makes less sense me if compile same taglib source qt on mac (g++ think?) works fine! somewhere in windows compilation procedures have going wrong. have been smacking face on desk 30 (on , off) hours trying figure out. since qt uses mingw must compile taglib same compiler? if compile *.lib's visual studio not compatible? are *.a libraries usable in windows? (assuming mingw) i'm still trying handle on c++ stuff, after reading coun...
Read more