As the modern web application started to reflect the user input to generate dynamic content, Cross-Site Scripting (XSS) attack has gained its popularity. XSS vulnerability is caused by improperly validating the user input, and thus allows the injection of malicious client-side script. In response to its overwhelming popularity, a lot of research has been done to mitigate this XSS vulnerability. Unfortunately, XSS issues in rich internet applications are not as much studied as the regular web applications.
In this thesis, we show XSS attacks against Adobe Flash application, one of the most popular rich internet applications. In order to emphasize the risk of XSS in rich internet application, we implemented an automated XSS vulnerability analyzing system to automatically discover vulnerable Flash applications that are being serviced on the Web. Our system discovered vulnerable Flash applications from domestic portal sites. We also tried uploading the script-injected Flash applications to both domestic and foreign blog hosting sites to test the XSS attacks, and the sites were also vulnerable to those attacks.
An XSS attack can be extended to a variety of attacks, such as session hijacking, URL redirection, malware installation, key logging and so on. By exploiting vulnerable Flash applications revealed from the portal sites in Korea, this thesis demonstrated that it is possible to access other users’ private information with the hijacked session. We notified the administrator of the portal site to modify this security flaw.
In order to prevent this XSS attack, any external input to a Flash application must be validated upon its arrival. Especially in the environment where the user can easily customize the page content, such as blog hosting sites, Flash application must be considered as a potential security threat. The execution of external script must be controlled by proper sanitization of the input values as it may affect a large number of visitors.