Flash Parameter Injection
Attack Pattern ID: 174 (Standard Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

An attacker injects global Flash parameters into a Flash file embedded in an HTML document. These variables are controlled through arguments in the URL used to access the embedding HTML document. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. The injected parameters can allow the attacker to control other Flash objects as well as the parent document's DOM model.

+ Attack Prerequisites

The victim must use the URL crafted by the attacker to access the targeted web page with the embedded Flash document. The attacker does not need to have created or control either the targeted web page or the embedded Flash document.

+ Resources Required

The attacker must convince the victim to click their crafted link.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern137Parameter Injection 
Mechanism of Attack (primary)1000
+ References

http://blog.watchfire.com/FPI.pdf