Web application security - the fast guide 1.1 | Page 90

Chapter 5 - Attack Execution the client
P a g e | 90
5.4 Flash Cookies (LSO)
Send a request to sever to get App.swf
2
Client
1
Respond sending App.swf
App.swf write on
client machine .lso 3
Attacker alters .lso file
written by App.swf since he
has access to the machine 4
Send request by App.swf with altered parameters
Server
5
Figure 31:Flash cookie attack process
Flash uses what is called Flash Cookies for client-side storage which Is a text file
with the extension (.lso) being able to access and manipulate this file will give
the ability to change the behavior of the flash object.
Attack requirement:
A. Being able to access the LSO file
B. No validation for data retrieved from the LSO files stored on the client.
Attack process
A. Access the LSO file.
B. Use the LSO editor to change an invalidated value that might give higher
privileges
Example:
This example will allow the attacker to get higher discount rate on a purchase
done through a flash object.
A. Locate the LSO file.
B. Use LSO editor to change the discount value
C. As soon as the flash object retrieve the local storage from the lso file it will
apply the new discount rate if no validation where done by the server.
Figure 32:Sol Edit tool