Detection of XSS Vulnerabilities in Online Flash

Liu Qixu; Wen Tao; Wen Guanxing

Journal of Computer Research and Development > 2014 > 51(7): 1624-1632.

Liu Qixu, Wen Tao, Wen Guanxing. Detection of XSS Vulnerabilities in Online Flash[J]. Journal of Computer Research and Development, 2014, 51(7): 1624-1632.

Citation:

Liu Qixu, Wen Tao, Wen Guanxing. Detection of XSS Vulnerabilities in Online Flash[J]. Journal of Computer Research and Development, 2014, 51(7): 1624-1632.

Citation:

Liu Qixu, Wen Tao, Wen Guanxing. Detection of XSS Vulnerabilities in Online Flash[J]. Journal of Computer Research and Development, 2014, 51(7): 1624-1632.

PDF (1548 KB)

Detection of XSS Vulnerabilities in Online Flash

1(National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing 101408) 2(State Key Laboratory of Integrated Services Networks (Xidian University), Xi’an 710071)

More Information

Published Date: July 14, 2014

Graphical Abstract

Abstract

Abstract

Popular websites such as YouTube, Yahoo! and CNN, contain a large number of Flash files to deliver dynamic contents. However, many Flash objects are exposed to cross-site scripting (abbreviated as XSS, a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites) vulnerabilities as they are usually coded without properly purifying their inputs. In this paper, we study the technology of XSS in online Flash and introduce an engine called FXD (Flash XSS Detector), which is designed to automatically scramble webpages with embedded Flash objects and check whether or not they are vulnerable to XSS attacks. We evaluate FXD on a large collection of XSS vulnerable Flash testing samples we created, which cover all common Flash XSS vulnerabilities. FXD performs efficiently in detecting Flash XSS by providing wide coverage of different kinds of Flash XSS which is higher than all related works we know. We also use FXD to test real-world websites, and find that there are still many embedded Flash objects vulnerable to XSS even in Alexa Top 100 websites. Finally, we discover a new trend that Flash XSS nowadays is mainly caused by combination of key functions in different categories.
- Adobe flash,
- ActionScript,
- cross-site scripting,
- vulnerability,
- Web security

FullText(HTML)

References (0)

[1]	Tan Tian, Ma Xiaoxing, Xu Chang, Ma Chunyan, Li Yue. Survey on Java Pointer Analysis[J]. Journal of Computer Research and Development, 2023, 60(2): 274-293. DOI: 10.7544/issn1000-1239.202220901
[2]	Guo Fangfang, Wang Xinyue, Wang Huiqiang, Lü Hongwu, Hu Yibing, Wu Fang, Feng Guangsheng, Zhao Qian. A Dynamic Stain Analysis Method on Maximal Frequent Sub Graph Mining[J]. Journal of Computer Research and Development, 2020, 57(3): 631-638. DOI: 10.7544/issn1000-1239.2020.20180846
[3]	Li Zhen, Tang Zhanyong, Li Zhengqiao, Wang Hai, Gong Xiaoqing, Chen Feng, Chen Xiaojiang, Fang Dingyi. An Automatic Detection Method for Privacy Leakage Across Application Components[J]. Journal of Computer Research and Development, 2019, 56(6): 1252-1262. DOI: 10.7544/issn1000-1239.2019.20180548
[4]	Wang Lei, He Dongjie, Li Lian, Feng Xiaobing. Sparse Framework Based Static Taint Analysis Optimization[J]. Journal of Computer Research and Development, 2019, 56(3): 480-495. DOI: 10.7544/issn1000-1239.2019.20180071
[5]	Yue Hongzhou, Zhang Yuqing, Wang Wenjie, Liu Qixu. Android Static Taint Analysis of Dynamic Loading and Reflection Mechanism[J]. Journal of Computer Research and Development, 2017, 54(2): 313-327. DOI: 10.7544/issn1000-1239.2017.20150928
[6]	Zhang Huilin, Ding Yu, Zhang Lihua, Duan Lei, Zhang Chao, Wei Tao, Li Guancheng, Han Xinhui. SQL Injection Prevention Based on Sensitive Characters[J]. Journal of Computer Research and Development, 2016, 53(10): 2262-2276. DOI: 10.7544/issn1000-1239.2016.20160443
[7]	Lu Yemian, Ying Lingyun, Su Purui, Feng Dengguo, Jing Erxia, Gu Yacong. Security Analysis and Evaluation for the Usage of Settings Mechanism in Android[J]. Journal of Computer Research and Development, 2016, 53(10): 2248-2261. DOI: 10.7544/issn1000-1239.2016.20160449
[8]	Wang Yi, Li Zhoujun, Guo Tao. Literal Tainting Method for Preventing Code Injection Attack in Web Application[J]. Journal of Computer Research and Development, 2012, 49(11): 2414-2423.
[9]	Zhao Tianlei, Tang Yuxing, Fu Guitao, Jia Xiaomin, Qi Shubo, and Zhang Minxuan. Accelerating Program Behavior Analysis with Dynamic Binary Translation[J]. Journal of Computer Research and Development, 2012, 49(1): 35-43.
[10]	Han Wei, He Yeping. Static Analysis of TOCTTOU Vulnerabilities in Unix-Style File System[J]. Journal of Computer Research and Development, 2011, 48(8): 1430-1437.