Back to list
Technical note by Amit Klein: "Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)"
Aug 16 2006 08:33PM
Amit Klein (AKsecurity) (aksecurity hotpop com)
Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)
Amit Klein, August 2006
In , I showed how to forge parts of HTTP requests containing
CRs and LFs using Flash. In that write-up, the data was part of the
HTTP body section. However, combining the Content-Length overriding
trick from  enables a condition of HTTP request splitting (see ).
This enables almost complete control over the second HTTP request -
including methods. The only pre-requisite (apart from using IE 6.0 and
Flash 7/8) is that there's one resource in the target website that does
not terminate the TCP connection in response to a POST request.
Here's an example:
var req:XML=new XML("<foo>\r\nOPTIONS / HTTP/1.0\r\nHost:
The request stream is:
POST /path/to/script.cgi HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
OPTIONS / HTTP/1.0
Note that this works well in HTTP and HTTPS.
Also note that if the target web server is Apache 2.0 with mod_ssl,
then there's a need to modify the User-Agent header for IE, in order
for it not to include the string "MSIE". If the string "MSIE" is
found in the User-Agent header, mod_ssl will terminate the HTTPS
connection after the first request (see ). So this is as simple
as adding the following to the ActionScript code:
Some interesting consequences
including WebDAV, full control over the headers, etc.
- All the impact in  and  is relevant - XSS in some cases, HTTP
request smugling and HTTP Response Splitting attacks (from the
 "Sending multipart/form-data requests from Flash (with arbitrary
headers)", Amit Klein, August 2006
 "Forging HTTP request headers with Flash", Amit Klein, July 2006
 "Exploiting the XmlHttpRequest object in IE - Referrer spoofing,
and a lot more...", Amit Klein, September 2005
 "IE + some popular forward proxy servers = XSS, defacement (browser
cache poisoning)", Amit Klein, May 2006
 "mod_ssl F.A.Q." (mod_ssl website), under "When I connect via HTTPS
to an Apache+mod_ssl+OpenSSL server with Microsoft Internet Explorer
(MSIE) I get various I/O errors. What is the reason?"
[ reply ]
Copyright 2010, SecurityFocus