CAPEC-182: Flash Injection

Description
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
Extended Description

Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured.

Severity :

Medium

Possibility :

High

Type :

Standard
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-137: Parameter Injection Parameter Injection CAPEC-174: Flash Parameter Injection Flash Parameter Injection CAPEC-178: Cross-Site Flashing Cross-Site Flashing CAPEC-248: Command Injection Command Injection
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium The attacker needs to have knowledge of Flash, especially how to insert content the executes commands.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

None: No specialized resources are required to execute this type of attack. The attacker may need to be able to serve the injected Flash content.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-20: Improper Input Validation

CWE-184: Incomplete List of Disallowed Inputs

CWE-697: Incorrect Comparison

Visit http://capec.mitre.org/ for more details.