Biting the Hand That Serves You: A Closer Look at Client-Side Flash Proxies for Cross-Domain Requests

  • Martin Johns
  • Sebastian Lekies
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6739)


Client-side Flash proxies provide an interface for JavaScript applications to utilize Flash’s cross-domain HTTP capabilities. However, the subtle differences in the respective implementations of the same-origin policy and the insufficient security architecture of the JavaScript-to-Flash interface lead to potential security problems. We comprehensively explore these problems and conduct a survey of five existing proxy implementation. Furthermore, we propose techniques to avoid the identified security pitfalls and to overcome the untrustworthy interface between the two technologies.


Cascade Style Sheet Attack Vector Adobe Flash Rich Internet Application Cache Poisoning Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adobe Coperation. Adobe flash,
  2. 2.
    Adobe Systems Inc. Cross-domain policy file specification (January 2010),
  3. 3.
    Adobe Systems Incorporated. flash.external ExternalInterface . ActionScript 3.0 Reference for the Adobe Flash Platform (December 2010), (accessed in January 2011)
  4. 4.
    Adobe Systems Incorporated. flash.system Security. ActionScript 3.0 Reference for the Adobe Flash Platform (December 2010), (accessed in January 2011)
  5. 5.
    Alcorn, W., et al.: Browser Exploitation Framework BeEF (2011) software, (accessed in January 2011)
  6. 6.
    Barth, A., Jackson, C., Mitchel, J.C.: Securing Frame Communication in Browsers. In: USENIX Security, pp. 17–30 (2008)Google Scholar
  7. 7.
    Burns, J.: Cross Site Request Forgery - An introduction to a common web application weakness. Whitepaper (2005),
  8. 8.
    Couvreur, J.: FlashXMLHttpRequest: cross-domain requests (2007) software, (accessed in January 2011)
  9. 9.
    IanHickson, I. (ed.).: HTML - Living Standard. WHATWG working draft (2010),
  10. 10.
    Esser, S.: Poking new holes with Flash Crossdomain Policy Files (October 2006), (accessed in January 2011)
  11. 11.
    Google inc. Google Gadgets API: Working with Remote Content, (accessed in January 2011)
  12. 12.
    Grossman, J.: Crossdomain.xml Invites Cross-site Mayhem (May 2008), (accessed in January 2011)
  13. 13.
    Grossman, J.: I used to know what you watched, on YouTube (September 2008), (accessed in January 2011)
  14. 14.
    Heyes, G., Nava, E.V., Lindsay, D.: CSS: The Sexy Assassin. In: Talk at the Microsoft Blue Hat conference (October 2008),
  15. 15.
    Hickson, I.: The Web Sockets API. W3C Working Draft WD-websockets-20091222 (December 2009),
  16. 16.
    Huang, L.-S., Chen, E.Y., Barth, A., Rescorla, E., Jackson, C.: Transparent Proxies: Threat or Menace? Whitepaper (2010),
  17. 17.
    Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting Browsers from DNS Rebinding Attack. In: Proceedings of the 14th ACM Conference on Computer and Communication Security, CCS 2007 (October 2007)Google Scholar
  18. 18.
    Kamkar, S.: Technical explanation of the MySpace worm (October 2005), (accessed in January 2011)
  19. 19.
    Kanatoko. Anti-DNS Pinning + Socket in Flash (January 19, 2007),
  20. 20.
    Klein, A.: Forging HTTP Request Headers with Flash ActionScript. Whitepaper (July 2006),
  21. 21.
    Livshits, B., Cui, W.: Spectator: Detection and Containment of JavaScript Worms. In: Usenix Annual Technical Conference (June 2008)Google Scholar
  22. 22.
    Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting JavaScript. In: Aura, T. (ed.) The 15th Nordic Conference in Secure IT Systems. LNCS, Springer, Heidelberg (October 2010); (Selected papers from AppSec 2010)Google Scholar
  23. 23.
    Oftedal, E.: Malicious rich internet application (malaria) (April 2010) software, (accessed in January 2011)
  24. 24.
    Reitman, B.: CrossXHR - a Cross-Domain XmlHttpRequest drop-in-replacement (Feburary 2010) software, (accessed in January 2011)
  25. 25.
    Rios, B.: Cross Domain Hole Caused By Google Docs (2007), (accessed in January 2011)
  26. 26.
    Ruderman, J.: The Same Origin Policy (August 2001), (October 1, 2006)
  27. 27.
    Shiflett, C.: Cross-Domain Ajax Insecurity (August 2006), (accessed in January 2011)
  28. 28.
    Shiflett, C.: The Dangers of Cross-Domain Ajax with Flash (September 2006), (accessed in January 2011)
  29. 29.
    Simpson, K.: (new) Adobe Flash Player security hole found, flXHRs response (August 2008), (accessed in January 2011)
  30. 30.
    Simpson, K.: flXHR - Cross-Domain Ajax with Flash (2010) software, (accessed in January 2011)
  31. 31.
    van Kesteren, A.: The XMLHttpRequest Object. W3C Working Draft (April 2008),
  32. 32.
    van Kesteren, A.(ed.).: Cross-Origin Resource Sharing. W3C Working Draft, Version WD-cors-20100727 (July 2010),
  33. 33.
    Web Hypertext Application Technology Working Groug (WHATWG). Welcome to the WHATWG community (2011), (accessed in January 2011)
  34. 34.
    Wilson, J.R.: SWFHttpRequest Flash/Ajax Utility (December 2007) software, (accessed in January 2011)
  35. 35.
    Zalewski, M.: Browser Security Handbook. Whitepaper, Google Inc. (2008), (January 13, 2009)

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Martin Johns
    • 1
  • Sebastian Lekies
    • 1
  1. 1.SAP Research KarlsruheGermany

Personalised recommendations