AsiaCCS edition:2012 location:Seoul date:2-4 May 2012
Today's Internet is teeming with dynamic web applications visited by numerous Internet users.
During their visits, typical Web users will unknowingly use tens of Rich Internet Applications like
Flash banners or media players. For HTML-based web applications, it is well-known that Cross-site Scripting
(XSS) vulnerabilities can be exploited to steal credentials or otherwise wreak havoc, and there is a
lot of research into solving this problem.
An aspect of this problem that seems to have been mostly
overlooked by the academic community, is that XSS vulnerabilities also exist in Adobe Flash applications,
and are actually easier to exploit because they do not require an
enclosing HTML ecosystem.
In this paper we present FlashOver, a system to automatically scan Rich Internet Applications for
XSS vulnerabilities by using a combination of static and dynamic code analysis that reports no false positives.
FlashOver was used in a large-scale experiment to analyze Flash applications found on
the top 1,000 Internet sites, exposing XSS vulnerabilities that could compromise 64 of those sites, of which six are in the top 50.