Cenzic 232 Patent
Paid Advertising
web application security lab

More Expect Exploitation In Flash

I traded a few emails with Titon (titon[at]bastardlabs.com) regarding the Expect XSS vulnerability in Flash against older versions of Apache. I hadn’t realized that Flash had cloesed down the Expect: header. It appears, however, that there is a way to resurrect that vulnerability. If you recall the old syntax it was:

req.addRequestHeader("Expect","<script>alert('XSS')</script>");

Well it appears that is now blocked in current versions of Flash. However, Triton found a way around that:

req.addRequestHeader("Expect:FooBar","<script>alert('XSS')</script>");

It appears it was doing some sort of pattern match or direct string comparison and by adding anything after the colon you can bypass the protection. Here is an example he created against SecurityFocus. So it looks like the vulnerability is back. It’s surprising how many sites are still vulnerable to this attack. So if you haven’t updated Apache and have any interest in security, you probably should. Nice work by Titon!

Update: Amit alerted me to one f the old papers on flash header injection. The paper came out a year ago. While I don’t think this is exactly the same since this is talking about the expect vuln, it is worthy of mentioning since it’s solved in almost an identical way.

4 Responses to “More Expect Exploitation In Flash”

  1. fukami Says:

    Actually the technique of using addRequestHeader this way is not new. Martin Johns told me aboutit a while ago (see https://www.flashsec.org/wiki/Arbitrary_HTTP_Requests and slides from 0sec, page 61: https://www.flashsec.org/mediawiki/images/b/b3/0sec-FlashSec.pdf).

  2. Awesome AnDrEw Says:

    Thank you. I realized that Flash had fixed the original Expect header vulnerability in the latest versions, and so the only way I’ve been able to reproduce it as of late was to physically include it with my own requests, which of course would be of no use when it came to injecting it into the requests of others. I was hoping someone would figure out a way to revive it.

  3. Sid Says:

    Certainly a nice find, people really should upgrade their Apache installations faster.

  4. hackathology Says:

    I think securityfocus had fixed it