BugTraq
Write-up by Amit Klein: "Forging HTTP request headers with Flash" Jul 24 2006 07:28PM
Amit Klein (AKsecurity) (aksecurity hotpop com) (1 replies)
Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash" Jul 26 2006 07:42PM
Amit Klein (AKsecurity) (aksecurity hotpop com) (1 replies)
Hi

A reader going by the nickname "xeek" pointed out to me that
the examples in the paper making use of the HTTP GET request
do not work as-is (thanks xeek!). After looking at the matter,
I realized that I made a silly mistake. In my research, I
toyed with the LoadVars.send() method with 2 arguments
(url and target window), and had Flash automatically
select the appropriate methd (GET if empty body, POST if
non-empty body). The exploit works fine this way. When I
documented my findings, I decided to explicitly add the HTTP
method, to clarify the write-up. BIG mistake - turns out
that in such case, Flash doesn't send the headers if GET is
used (sounds like a bug...). And pity I didn't verify the exact
code I used in the write-up...

Anyway, to summarize - there's a mistake in the document,
and it's easily fixed. In each GET example, simply remove
the explicit method (i.e. delete all instances of ,"GET" in
the write-up). For example (the first example in the paper):

[...]
req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2",
"_blank");

This works as advertised, and as also verified by xeek.

Thanks, and sorry for the mistake,
-Amit

[ reply ]
Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash" Jul 27 2006 02:43AM
3CO (threecheeseopera gmail com) (1 replies)
Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash" Jul 27 2006 05:52AM
Amit Klein (AKsecurity) (aksecurity hotpop com)


 

Privacy Statement
Copyright 2010, SecurityFocus