Title: FlashOver: Automated discovery of cross-site scripting vulnerabilities in rich internet applications
Authors: Van Acker, Steven ×
Nikiforakis, Nick
Desmet, Lieven
Joosen, Wouter
Piessens, Frank #
Issue Date: 2-May-2012
Conference: AsiaCCS edition:2012 location:Seoul date:2-4 May 2012
Abstract: Today's Internet is teeming with dynamic web applications visited by numerous Internet users.
During their visits, typical Web users will unknowingly use tens of Rich Internet Applications like
Flash banners or media players. For HTML-based web applications, it is well-known that Cross-site Scripting
(XSS) vulnerabilities can be exploited to steal credentials or otherwise wreak havoc, and there is a
lot of research into solving this problem.
An aspect of this problem that seems to have been mostly
overlooked by the academic community, is that XSS vulnerabilities also exist in Adobe Flash applications,
and are actually easier to exploit because they do not require an
enclosing HTML ecosystem.

In this paper we present FlashOver, a system to automatically scan Rich Internet Applications for
XSS vulnerabilities by using a combination of static and dynamic code analysis that reports no false positives.
FlashOver was used in a large-scale experiment to analyze Flash applications found on
the top 1,000 Internet sites, exposing XSS vulnerabilities that could compromise 64 of those sites, of which six are in the top 50.
Publication status: published
KU Leuven publication type: IC
Appears in Collections:Informatics Section
× corresponding author
# (joint) last author

Files in This Item:
File Description Status SizeFormat
asiaccs-final29.pdfAccepted full paper Published 539KbAdobe PDFView/Open
asiaccs-extended-abstract29.pdfAccepted extended abstract Published 275KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.