Paid Advertising
web application security lab

Forging HTTP request headers with Flash

Amit Klien is a web application security expert. He recently came up with an ingenious way to use flash to forge HTTP request headers. Wow. Up until now it has been impossible to do that. Normally, talking about referrers (since that is the most widly used application for request header spoofing) you could only remove them (with Meta refresh or JavaScript, etc…). But now you don’t have to just remove them. Now you can actually modify them.

This actually has some pretty scary applications. Now you can no longer trust that the referrer is even real at all. Previously you could at least tell if it wasn’t real (IE: it was there, but incorrect). That was one way people got around cross site request forgeries (CSRF). But now, the CSRF can be done with the correct HTTP referrer, and indeed all the correct information that you would expect (including cookies or otherwise). Up to this point, I’ve felt that referrers had limited use anyway, because they are absent too frequently (in the case of security applications like ZoneAlarm etc… that remove it) and you could intentionally remove the referrer.

Now, it’s just plain wrong. That could mean serious troubles for any application that relied on that information exclusively. Now this has other applications for XSS fuzzing, etc… where you can fuzz all of the information (including browser types, etc…) that are normally not available to the attacker in question. Amit uses the example of the expect HTTP variable, but anything is a potential target, including POST variables, Host variables, etc. The sky is the limit. I’ll be interested to hear if Macromedia comes out with a patch for this, as this has some serious implications for web application security.

11 Responses to “Forging HTTP request headers with Flash”

  1. countzero Says:

    Scary stuff indeed. You could buy a flash banner advertisement on a site and coupled with some smart POSTs… A good time to block flash on your browser. I’ve been using this for some time now

  2. RSnake Says:

    Yah, I use that as well, countzero. It’s a lifesaver… I don’t trust flash these days, unless I know I want to see it (and that is almost never). I do love Flash, I just wish I could mark it as safe, and disable active scripting in it. Something to think about.

  3. XSS dude Says:

    How can I with JS remove the referrer when posting a regular form ?

  4. RSnake Says:

    Hi, XSS dude…. check out this post. It should help you get a feel for how to do it:

  5. web application security lab - Archive » Expect Header Injection Via Flash Says:

    […] I probably didn’t go into enough detail the last time I talked about Amit Klein’s header injection vulnerability he disclosed with Flash. Blad3 brought my attention to this tool over at secunia that allows you to test sites for JavaScript injection via Expect headers. (I had better luck with Internet Explorer using that tool than I did with Firefox). But what it shows is that a huge chunk of major websites are now vulnerable to this. Without naming all of them, just trust me, it’s a lot. […]

  6. web application security lab - Archive » Flash Can Steal User Credentials Says:

    […] Amit Klein has been coming out with some great stuff lately. First with his Flash header spoofing and expect vulnerability and more recently using the same header spoofing he can actually use Flash to steal user credentials. Holy crap! […]

  7. web application security lab - Archive » OpenDNS Stops Some Phishing and has Some Issues Says:

    […] Colons and slashes are not allowed in the Host: header, but pretty much everything else is, which allows you to run abitrary JavaScript on using the Flash header injection method. Which means, if my phishing site is on host “A”, I can XSS some other site “B” to do a simple redirect, with the flash injection have them forward to the real address of the phishing site “A” and even after I’m caught and the page where the server is being redirected to “A” is caught I can run XSS on the openwall server to continue my phishing phun. Beautiful. […]

  8. web application security lab - Archive » DNS Pinning Just Got Worse Says:

    […] Amit Klien just published a rather interesting article on how anti-DNS pinning techniques can be circumvented. Namely how you can get around Host: header restrictions by using XmlHttpRequest or by forging headers with Flash. Coupled with Martin Johns’ DNS pinning circumvention technique this marks a sad day for web application security for Intranet applications. […]

  9. web application security lab - Archive » WordPress SEO CSRF Says:

    […] From a web application security perspective things like changing the administrator password are vulnerable only if a referring URL can be spoofed (which is possible using the Flash header spoofing trick that Amit came up with). Because the state is dealt with by spoofable items (referring URLs) and CSRF susceptable tokens (cookies) WordPress is ultimately vulnerable to quite a bit more than just comment spam. (The same is true with submitting new posts, which by the way actually could enable XSS attacks as full HTML is allowed). So turn off Flash if you’re an blog administrator until something gets fixed. […]

  10. web application security lab - Archive » Lessons Learned From Adobe PDF XSS Patching Says:

    […] Be careful using either of those. REQUEST_URI can contain anything: For that example the request URI will be ..pathto..file.pdf?whatever which does not match “.pdf$”. Likewise the second one has issues, including the fact that referrers are not always present (Zonelabs Zone Alarm Pro, and both Norton Internet Security and Norton Personal Firewall). Also, referrers are spoofable using Flash. […]

  11. easy-hide-ip Says:

    Modifying the HTTP REQUEST headers is a pretty simple job for a programmer. By playing with the request (and sometimes with the response) the browser behavior can be easily modified (“forced”). The easiest solution is to stay behind a small proxy (I recommend Privoxy and Web Cleaner (WebCleaner) – my new favorite solution) and decide what kind of content will be loaded.