Detection of XSS Vulnerabilities in Online Flash

Liu Qixu; Wen Tao; Wen Guanxing

Journal of Computer Research and Development > 2014 > 51(7): 1624-1632.

Liu Qixu, Wen Tao, Wen Guanxing. Detection of XSS Vulnerabilities in Online Flash[J]. Journal of Computer Research and Development, 2014, 51(7): 1624-1632.

Citation:

Liu Qixu, Wen Tao, Wen Guanxing. Detection of XSS Vulnerabilities in Online Flash[J]. Journal of Computer Research and Development, 2014, 51(7): 1624-1632.

Citation:

Liu Qixu, Wen Tao, Wen Guanxing. Detection of XSS Vulnerabilities in Online Flash[J]. Journal of Computer Research and Development, 2014, 51(7): 1624-1632.

PDF (1548 KB)

Detection of XSS Vulnerabilities in Online Flash

1(National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing 101408) 2(State Key Laboratory of Integrated Services Networks (Xidian University), Xi’an 710071)

More Information

Published Date: July 14, 2014

Graphical Abstract

Abstract

Abstract

Popular websites such as YouTube, Yahoo! and CNN, contain a large number of Flash files to deliver dynamic contents. However, many Flash objects are exposed to cross-site scripting (abbreviated as XSS, a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites) vulnerabilities as they are usually coded without properly purifying their inputs. In this paper, we study the technology of XSS in online Flash and introduce an engine called FXD (Flash XSS Detector), which is designed to automatically scramble webpages with embedded Flash objects and check whether or not they are vulnerable to XSS attacks. We evaluate FXD on a large collection of XSS vulnerable Flash testing samples we created, which cover all common Flash XSS vulnerabilities. FXD performs efficiently in detecting Flash XSS by providing wide coverage of different kinds of Flash XSS which is higher than all related works we know. We also use FXD to test real-world websites, and find that there are still many embedded Flash objects vulnerable to XSS even in Alexa Top 100 websites. Finally, we discover a new trend that Flash XSS nowadays is mainly caused by combination of key functions in different categories.
- Adobe flash,
- ActionScript,
- cross-site scripting,
- vulnerability,
- Web security

FullText(HTML)

References (0)

[1]	Wang Xiaoxi, Liu Qixu, Liu Chaoge, Zhang Fangjiao, Liu Xinyu, Cui Xiang. Survey of Web Tracking[J]. Journal of Computer Research and Development, 2023, 60(4): 839-859. DOI: 10.7544/issn1000-1239.202110681
[2]	Wang Yi, Li Zhoujun, Guo Tao. Literal Tainting Method for Preventing Code Injection Attack in Web Application[J]. Journal of Computer Research and Development, 2012, 49(11): 2414-2423.
[3]	Zhang Xianchao, Xu Wen, Gao Liang, and Liang Wenxin. Combining Content and Link Analysis for Local Web Community Extraction[J]. Journal of Computer Research and Development, 2012, 49(11): 2352-2358.
[4]	Ban Zhijie, Gu Zhimin, Jin Yu. A Survey of Web Prefetching[J]. Journal of Computer Research and Development, 2009, 46(2): 202-210.
[5]	Deng Xiaopeng, Xing Chunxiao, Cai Lianhong. Progress in Testing for Web Applications[J]. Journal of Computer Research and Development, 2007, 44(8): 1273-1283.
[6]	Xue Xiaobing, Han Jieling, Jiang Yuan, and Zhou Zhihua. Link Recommendation in Web Index Page Based on Multi-Instance Learning Techniques[J]. Journal of Computer Research and Development, 2007, 44(3).
[7]	Li Shijun, Yu Junqing, Ou Weijie. Web Information Extraction Based on HTML Pattern Algebra[J]. Journal of Computer Research and Development, 2006, 43(9): 1644-1650.
[8]	Wang Bennian, Gao Yang, Chen Shifu, Xie Junyuan. A Review of Web Intelligence Research[J]. Journal of Computer Research and Development, 2005, 42(5): 721-727.
[9]	Xu Mingwei, Hu Chunming, Liu Xudong, and Ma Dianfu. Research and Implementation of Web Service Differentiated QoS[J]. Journal of Computer Research and Development, 2005, 42(4): 669-675.
[10]	Yang Nan, Gong Danzhi, Li Xian, and Meng Xiaofeng. Survey of Web Communities Identification[J]. Journal of Computer Research and Development, 2005, 42(3): 1.