Skip to main content
SpringerLink
Log in

Biting the Hand That Serves You: A Closer Look at Client-Side Flash Proxies for Cross-Domain Requests

  • Conference paper
Book cover Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6739))

Abstract

Client-side Flash proxies provide an interface for JavaScript applications to utilize Flash’s cross-domain HTTP capabilities. However, the subtle differences in the respective implementations of the same-origin policy and the insufficient security architecture of the JavaScript-to-Flash interface lead to potential security problems. We comprehensively explore these problems and conduct a survey of five existing proxy implementation. Furthermore, we propose techniques to avoid the identified security pitfalls and to overcome the untrustworthy interface between the two technologies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adobe Coperation. Adobe flash, http://www.adobe.com/products/flash/flashpro/

  2. Adobe Systems Inc. Cross-domain policy file specification (January 2010), http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

  3. Adobe Systems Incorporated. flash.external ExternalInterface . ActionScript 3.0 Reference for the Adobe Flash Platform (December 2010), http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/external/ExternalInterface.html (accessed in January 2011)

  4. Adobe Systems Incorporated. flash.system Security. ActionScript 3.0 Reference for the Adobe Flash Platform (December 2010), http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/system/Security.html (accessed in January 2011)

  5. Alcorn, W., et al.: Browser Exploitation Framework BeEF (2011) software, http://code.google.com/p/beef/ (accessed in January 2011)

  6. Barth, A., Jackson, C., Mitchel, J.C.: Securing Frame Communication in Browsers. In: USENIX Security, pp. 17–30 (2008)

    Google Scholar 

  7. Burns, J.: Cross Site Request Forgery - An introduction to a common web application weakness. Whitepaper (2005), https://www.isecpartners.com/documents/XSRF_Paper.pdf

  8. Couvreur, J.: FlashXMLHttpRequest: cross-domain requests (2007) software, http://blog.monstuff.com/archives/000294.html (accessed in January 2011)

  9. IanHickson, I. (ed.).: HTML - Living Standard. WHATWG working draft (2010), http://www.whatwg.org/specs/web-apps/current-work/

  10. Esser, S.: Poking new holes with Flash Crossdomain Policy Files (October 2006), http://www.hardenedphp.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html (accessed in January 2011)

  11. Google inc. Google Gadgets API: Working with Remote Content, http://code.google.com/apis/gadgets/docs/remote-content.html (accessed in January 2011)

  12. Grossman, J.: Crossdomain.xml Invites Cross-site Mayhem (May 2008), http://jeremiahgrossman.blogspot.com/2008/05/crossdomainxml-invites-cross-site.html (accessed in January 2011)

  13. Grossman, J.: I used to know what you watched, on YouTube (September 2008), http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html (accessed in January 2011)

  14. Heyes, G., Nava, E.V., Lindsay, D.: CSS: The Sexy Assassin. In: Talk at the Microsoft Blue Hat conference (October 2008), http://technet.microsoft.com/en-us/security/cc748656

  15. Hickson, I.: The Web Sockets API. W3C Working Draft WD-websockets-20091222 (December 2009), http://www.w3.org/TR/2009/WD-websockets-20091222/

  16. Huang, L.-S., Chen, E.Y., Barth, A., Rescorla, E., Jackson, C.: Transparent Proxies: Threat or Menace? Whitepaper (2010), http://www.adambarth.com/experimental/websocket.pdf

  17. Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting Browsers from DNS Rebinding Attack. In: Proceedings of the 14th ACM Conference on Computer and Communication Security, CCS 2007 (October 2007)

    Google Scholar 

  18. Kamkar, S.: Technical explanation of the MySpace worm (October 2005), http://namb.la/popular/tech.html (accessed in January 2011)

  19. Kanatoko. Anti-DNS Pinning + Socket in Flash (January 19, 2007), http://www.jumperz.net/index.php?i=2&a=3&b=3

  20. Klein, A.: Forging HTTP Request Headers with Flash ActionScript. Whitepaper (July 2006), http://www.securiteam.com/securityreviews/5KP0M1FJ5E.html

  21. Livshits, B., Cui, W.: Spectator: Detection and Containment of JavaScript Worms. In: Usenix Annual Technical Conference (June 2008)

    Google Scholar 

  22. Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting JavaScript. In: Aura, T. (ed.) The 15th Nordic Conference in Secure IT Systems. LNCS, Springer, Heidelberg (October 2010); (Selected papers from AppSec 2010)

    Google Scholar 

  23. Oftedal, E.: Malicious rich internet application (malaria) (April 2010) software, http://erlend.oftedal.no/blog/?blogid=107 (accessed in January 2011)

  24. Reitman, B.: CrossXHR - a Cross-Domain XmlHttpRequest drop-in-replacement (Feburary 2010) software, http://code.google.com/p/crossxhr/wiki/CrossXhr (accessed in January 2011)

  25. Rios, B.: Cross Domain Hole Caused By Google Docs (2007), http://xs-sniper.com/blog/Google-Docs-Cross-Domain-Hole/ (accessed in January 2011)

  26. Ruderman, J.: The Same Origin Policy (August 2001), http://www.mozilla.org/projects/security/components/same-origin.html (October 1, 2006)

  27. Shiflett, C.: Cross-Domain Ajax Insecurity (August 2006), http://shiflett.org/blog/2006/aug/cross-domain-ajax-insecurity (accessed in January 2011)

  28. Shiflett, C.: The Dangers of Cross-Domain Ajax with Flash (September 2006), http://shiflett.org/blog/2006/sep/the-dangers-of-cross-domain-ajax-with-flash (accessed in January 2011)

  29. Simpson, K.: (new) Adobe Flash Player security hole found, flXHRs response (August 2008), http://www.flensed.com/fresh/2008/08/adobe-flash-player-security-hole/ (accessed in January 2011)

  30. Simpson, K.: flXHR - Cross-Domain Ajax with Flash (2010) software, http://flxhr.flensed.com/ (accessed in January 2011)

  31. van Kesteren, A.: The XMLHttpRequest Object. W3C Working Draft (April 2008), http://www.w3.org/TR/XMLHttpRequest

  32. van Kesteren, A.(ed.).: Cross-Origin Resource Sharing. W3C Working Draft, Version WD-cors-20100727 (July 2010), http://www.w3.org/TR/cors/

  33. Web Hypertext Application Technology Working Groug (WHATWG). Welcome to the WHATWG community (2011), http://www.whatwg.org/ (accessed in January 2011)

  34. Wilson, J.R.: SWFHttpRequest Flash/Ajax Utility (December 2007) software, http://jimbojw.com/wiki/index.php?title=SWFHttpRequest_Flash/Ajax_Utility (accessed in January 2011)

  35. Zalewski, M.: Browser Security Handbook. Whitepaper, Google Inc. (2008), http://code.google.com/p/browsersec/wiki/Main (January 13, 2009)

Download references

Author information

Authors and Affiliations

  1. SAP Research Karlsruhe, Germany

    Martin Johns & Sebastian Lekies

Authors
  1. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sebastian Lekies
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Ar-beits-grup-pe "Em-bed-ded Mal-wa-re", Ruhr-Uni-ver-si-tät Bo-chum, Uni-ver-si-täts-stras-se 150, 44801, Bochum, Germany

    Thorsten Holz

  2. Vrije Universiteit Amsterdam, 1081, Amsterdam, The Netherlands

    Herbert Bos

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Johns, M., Lekies, S. (2011). Biting the Hand That Serves You: A Closer Look at Client-Side Flash Proxies for Cross-Domain Requests. In: Holz, T., Bos, H. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2011. Lecture Notes in Computer Science, vol 6739. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22424-9_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22424-9_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-22423-2

  • Online ISBN: 978-3-642-22424-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation