Flash comes to the rescue
These days almost all web applications store files in some way or another; take, for example, social networking websites that store our pictures or dedicated storage services like Dropbox. One common problem with this is that we can upload Flash or SWF files with benign extensions like .jpg
, .gif
, or .png
and it will be happily accepted by the server backend. The problem arises if the file is hosted on the main domain or subdomain (not sandboxed domain) of the website, but we can create a Flash file to read the HTML source of the vulnerable website and upload it there with the allowed extensions mentioned earlier. Once it is uploaded on the vulnerable website, the attacker simply needs to embed the Flash file and pass ...
Get Mastering Modern Web Penetration Testing now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.