[英]What is possible with XSS with Flashvars? How to prevent it?
Recently a client was concerned that their SWF was "insecure" because the XML path was coming from Flashvars. 最近,一个客户担心他们的SWF是“不安全的”,因为XML路径来自Flashvars。 This seems to me to be something that isn't really a concern as the SWF is only displaying images / text and a few button links.
在我看来,这并不是真正要关注的问题,因为SWF仅显示图像/文本和一些按钮链接。 I can understand how someone could path to the swf and add a remote XML path in to add javascript to the button url targets, but really what damage could this do?
我能理解有人怎么可以进入swf并在其中添加远程XML路径,以将Javascript添加到按钮url目标,但这真的会造成什么损害?
Eg. 例如。 they could change
他们可以改变
http://mysite.com/theflash.swf?xmlpath=xml/thedata.xml
to this 对此
http://mysite.com/theflash.swf?xmlpath=http://dodgysite.com/thechangeddata.xml
Obviously they could build a fake wrapper html file around this but I still don't see how they could do anything harmful with this. 显然,他们可以围绕此构建一个假包装html文件,但我仍然看不到他们如何对此做任何有害的事情。 Am I missing something?
我想念什么吗?
My next question is what is the best way to go about preventing this from happening? 我的下一个问题是防止这种情况发生的最佳方法是什么?
So far I have in my XSS checking class: 到目前为止,我在XSS检查类中:
Most of this process I found in this article: http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps_02.html 我在本文中找到了大多数此过程: http : //www.adobe.com/devnet/flashplayer/articles/secure_swf_apps_02.html
Is there a better way than this? 有没有比这更好的方法了?
What else could be done to prevent XSS in flash? 可以采取其他措施来防止Flash中出现XSS吗?
I think you did already a good job! 我认为您已经做好了!
This may not always be possible, but you could also validate the data structure that you are receiving . 这可能并不总是可能的,但是您也可以验证所接收的数据结构 。
For example: if the XML contains paths to images, you could verify that the files are ending in .jpg/.png and are loaded from the right directory. 例如:如果XML包含图像的路径,则可以验证文件以.jpg / .png结尾并从正确的目录加载。
Blacklisting is a terrible solution. 列入黑名单是一个糟糕的解决方案。 The implicit assumption is that "I'll be able to catch all attacks if I look for these substrings";
隐含的假设是“如果我寻找这些子字符串,我将能够捕获所有攻击”。 it's often wrong:
这通常是错误的:
http://example.com/theflash.swf?xmlpath=../../../../userUploads/innocent.xml
. http://example.com/theflash.swf?xmlpath=../../../../userUploads/innocent.xml
。 Ultimately, you're trying to figure out how a URL parser will treat the string by looking for a few substrings. 最终,您试图通过查找一些子字符串来弄清楚URL解析器如何处理该字符串。 It's much more effective to stick it through a URL parser and extract the relevant semantics yourself.
将其粘贴在URL解析器中并自己提取相关的语义会更有效。
I think a potentially safe option is to ensure that the path starts with "xml/" and doesn't contain "/../", but it's still a terrible "solution". 我认为一个潜在的安全选择是确保路径以“ xml /”开头且不包含“ /../”,但这仍然是一个糟糕的“解决方案”。
A better option is a whitelist: The filename can only contain [a-z0-9_-]. 更好的选择是白名单:文件名只能包含[a-z0-9_-]。 You generate the path with "xml/$filename.xml".
您使用“ xml / $ filename.xml”生成路径。 This works provided you don't make a "test.xml".
只要您不创建“ test.xml”,此作品就可以使用。
An even better option is just to maintain a mapping from names to paths, eg "data" maps to "xml/data.xml", but "exploit" has no mapping, so it returns an error. 更好的选择是维护从名称到路径的映射,例如“数据”映射到“ xml / data.xml”,但“ exploit”没有映射,因此返回错误。 It means you can't add files as easily, but also means that the user cannot specify arbitrary paths.
这意味着您不能轻易添加文件,也意味着用户无法指定任意路径。
EDIT: Security problems like this arise because of unexpected interactions between different parts of the system ("all files on the filesystem can be trusted") or incorrect assumptions ("URL resolution will give a URL under the same 'directory'", "concatenating paths can't navigate up the directory hierarchy", "all filenames are normal", "checking whether a directory exists can't create it"). 编辑:之类的安全问题是由于系统不同部分之间的意外交互(“文件系统上的所有文件都可以被信任”)或不正确的假设(“ URL解析将使URL位于相同的“目录”下”,“连接路径无法在目录层次结构中向上导航”,“所有文件名都正常”,“无法检查目录是否存在”。) I've given an example;
我举了一个例子。 no doubt there are others.
毫无疑问,还有其他人。
If you need to make the config different per deployment, then ... use a config! 如果您需要使每个部署的配置不同,则...使用配置! foo.swf could fetch config.xml, which contains a list of allowed paths.
foo.swf可以获取config.xml,其中包含允许路径的列表。 Better is to have config.xml give a mapping from page name to XML path.
更好的是让config.xml提供从页面名称到XML路径的映射。
In general, exposing implementation details like "all paths happen to match xml/.*\\.xml
" is icky, a layering violation, and looks a lot like bad security. 通常,公开实现细节,例如“所有路径都与
xml/.*\\.xml
匹配”,这是一个棘手的问题,是对分层的违反,并且看起来很像安全性很差。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.