Summary

Netsparker detected an insecure JSONP endpoint which is susceptible to attacks such as Rosetta Flash.

Impact

Rosetta Flash is an exploitation technique that allows an attacker to exploit servers with a vulnerable JSONP endpoint by causing Adobe Flash Player to believe that an attacker-specified Flash file originated on the vulnerable server.

Flash Player implements same-origin policy that allows to make requests (with cookies) and receive responses from the hosting domain. Then the attacker controlled Flash file can send the retrieved responses back to the attacker.

This is a cross-origin exploit with an impact similar to embedding an arbitrary Flash file in the vulnerable domain. The exploit uses an ActionScript payload compiled to an SWF file composed entirely of alphanumeric characters by crafting carefully with certain coding algorithms. The resulting alphanumeric-only SWF file is then used as the callback parameter of a JSONP call.

Remediation
  • Make endpoints return the HTTP header Content-Disposition with filename attribute, forcing a file download.
    Content-Disposition: attachment; filename=f.txt
  • To be also protected from content sniffing attacks, prepend the reflected callback with /**/.
Classifications
WASC-15, OWASP 2013-A5 , CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N