Abstract
Client-side Flash proxies provide an interface for JavaScript applications to utilize Flash’s cross-domain HTTP capabilities. However, the subtle differences in the respective implementations of the same-origin policy and the insufficient security architecture of the JavaScript-to-Flash interface lead to potential security problems. We comprehensively explore these problems and conduct a survey of five existing proxy implementation. Furthermore, we propose techniques to avoid the identified security pitfalls and to overcome the untrustworthy interface between the two technologies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Adobe Coperation. Adobe flash, http://www.adobe.com/products/flash/flashpro/
Adobe Systems Inc. Cross-domain policy file specification (January 2010), http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
Adobe Systems Incorporated. flash.external ExternalInterface . ActionScript 3.0 Reference for the Adobe Flash Platform (December 2010), http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/external/ExternalInterface.html (accessed in January 2011)
Adobe Systems Incorporated. flash.system Security. ActionScript 3.0 Reference for the Adobe Flash Platform (December 2010), http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/system/Security.html (accessed in January 2011)
Alcorn, W., et al.: Browser Exploitation Framework BeEF (2011) software, http://code.google.com/p/beef/ (accessed in January 2011)
Barth, A., Jackson, C., Mitchel, J.C.: Securing Frame Communication in Browsers. In: USENIX Security, pp. 17–30 (2008)
Burns, J.: Cross Site Request Forgery - An introduction to a common web application weakness. Whitepaper (2005), https://www.isecpartners.com/documents/XSRF_Paper.pdf
Couvreur, J.: FlashXMLHttpRequest: cross-domain requests (2007) software, http://blog.monstuff.com/archives/000294.html (accessed in January 2011)
IanHickson, I. (ed.).: HTML - Living Standard. WHATWG working draft (2010), http://www.whatwg.org/specs/web-apps/current-work/
Esser, S.: Poking new holes with Flash Crossdomain Policy Files (October 2006), http://www.hardenedphp.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html (accessed in January 2011)
Google inc. Google Gadgets API: Working with Remote Content, http://code.google.com/apis/gadgets/docs/remote-content.html (accessed in January 2011)
Grossman, J.: Crossdomain.xml Invites Cross-site Mayhem (May 2008), http://jeremiahgrossman.blogspot.com/2008/05/crossdomainxml-invites-cross-site.html (accessed in January 2011)
Grossman, J.: I used to know what you watched, on YouTube (September 2008), http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html (accessed in January 2011)
Heyes, G., Nava, E.V., Lindsay, D.: CSS: The Sexy Assassin. In: Talk at the Microsoft Blue Hat conference (October 2008), http://technet.microsoft.com/en-us/security/cc748656
Hickson, I.: The Web Sockets API. W3C Working Draft WD-websockets-20091222 (December 2009), http://www.w3.org/TR/2009/WD-websockets-20091222/
Huang, L.-S., Chen, E.Y., Barth, A., Rescorla, E., Jackson, C.: Transparent Proxies: Threat or Menace? Whitepaper (2010), http://www.adambarth.com/experimental/websocket.pdf
Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting Browsers from DNS Rebinding Attack. In: Proceedings of the 14th ACM Conference on Computer and Communication Security, CCS 2007 (October 2007)
Kamkar, S.: Technical explanation of the MySpace worm (October 2005), http://namb.la/popular/tech.html (accessed in January 2011)
Kanatoko. Anti-DNS Pinning + Socket in Flash (January 19, 2007), http://www.jumperz.net/index.php?i=2&a=3&b=3
Klein, A.: Forging HTTP Request Headers with Flash ActionScript. Whitepaper (July 2006), http://www.securiteam.com/securityreviews/5KP0M1FJ5E.html
Livshits, B., Cui, W.: Spectator: Detection and Containment of JavaScript Worms. In: Usenix Annual Technical Conference (June 2008)
Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting JavaScript. In: Aura, T. (ed.) The 15th Nordic Conference in Secure IT Systems. LNCS, Springer, Heidelberg (October 2010); (Selected papers from AppSec 2010)
Oftedal, E.: Malicious rich internet application (malaria) (April 2010) software, http://erlend.oftedal.no/blog/?blogid=107 (accessed in January 2011)
Reitman, B.: CrossXHR - a Cross-Domain XmlHttpRequest drop-in-replacement (Feburary 2010) software, http://code.google.com/p/crossxhr/wiki/CrossXhr (accessed in January 2011)
Rios, B.: Cross Domain Hole Caused By Google Docs (2007), http://xs-sniper.com/blog/Google-Docs-Cross-Domain-Hole/ (accessed in January 2011)
Ruderman, J.: The Same Origin Policy (August 2001), http://www.mozilla.org/projects/security/components/same-origin.html (October 1, 2006)
Shiflett, C.: Cross-Domain Ajax Insecurity (August 2006), http://shiflett.org/blog/2006/aug/cross-domain-ajax-insecurity (accessed in January 2011)
Shiflett, C.: The Dangers of Cross-Domain Ajax with Flash (September 2006), http://shiflett.org/blog/2006/sep/the-dangers-of-cross-domain-ajax-with-flash (accessed in January 2011)
Simpson, K.: (new) Adobe Flash Player security hole found, flXHRs response (August 2008), http://www.flensed.com/fresh/2008/08/adobe-flash-player-security-hole/ (accessed in January 2011)
Simpson, K.: flXHR - Cross-Domain Ajax with Flash (2010) software, http://flxhr.flensed.com/ (accessed in January 2011)
van Kesteren, A.: The XMLHttpRequest Object. W3C Working Draft (April 2008), http://www.w3.org/TR/XMLHttpRequest
van Kesteren, A.(ed.).: Cross-Origin Resource Sharing. W3C Working Draft, Version WD-cors-20100727 (July 2010), http://www.w3.org/TR/cors/
Web Hypertext Application Technology Working Groug (WHATWG). Welcome to the WHATWG community (2011), http://www.whatwg.org/ (accessed in January 2011)
Wilson, J.R.: SWFHttpRequest Flash/Ajax Utility (December 2007) software, http://jimbojw.com/wiki/index.php?title=SWFHttpRequest_Flash/Ajax_Utility (accessed in January 2011)
Zalewski, M.: Browser Security Handbook. Whitepaper, Google Inc. (2008), http://code.google.com/p/browsersec/wiki/Main (January 13, 2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Johns, M., Lekies, S. (2011). Biting the Hand That Serves You: A Closer Look at Client-Side Flash Proxies for Cross-Domain Requests. In: Holz, T., Bos, H. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2011. Lecture Notes in Computer Science, vol 6739. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22424-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-22424-9_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22423-2
Online ISBN: 978-3-642-22424-9
eBook Packages: Computer ScienceComputer Science (R0)