ERRATA (Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash")

["Amit Klein (AKsecurity)" <aksecurity () hotpop com>]

Hi

A reader going by the nickname "xeek" pointed out to me that 
the examples in the paper making use of the HTTP GET request
do not work as-is (thanks xeek!). After looking at the matter,
I realized that I made a silly mistake. In my research, I
toyed with the LoadVars.send() method with 2 arguments 
(url and target window), and had Flash automatically 
select the appropriate methd (GET if empty body, POST if
non-empty body). The exploit works fine this way. When I 
documented my findings, I decided to explicitly add the HTTP
method, to clarify the write-up. BIG mistake - turns out
that in such case, Flash doesn't send the headers if GET is
used (sounds like a bug...). And pity I didn't verify the exact
code I used in the write-up...

Anyway, to summarize - there's a mistake in the document, 
and it's easily fixed. In each GET example, simply remove
the explicit method (i.e. delete all instances of ,"GET" in
the write-up). For example (the first example in the paper):

[...]
req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2";,
         "_blank");

This works as advertised, and as also verified by xeek.

Thanks, and sorry for the mistake,
-Amit



















-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan 6.5 is now available! New features for Web Services Testing, 
Advanced Automated Capabilities for Penetration Testers, PCI Compliance 
Reporting, Token Analysis, Authentication testing, Automated JavaScript 
execution and much more. 
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc
-------------------------------------------------------------------------