New XSS Attack Vector

David pointed out of a new attack vector that would allow malicious users to inject cross-site scripting into web applications via the Flash content embedded in them. The vulnerability itself is described as poor input validation in the asfunction handler of the produced SWF. Intended for developers to call internal Flash functions via the URL, this handler may also allow attackers into calling JavaScript as part of the Flash call.

There are a couple of things I would like to try and understand better:

• Is JavaScript that is executed in Flash compartmentalized from JavaScript that is executed in the browser itself?


• Which JavaScript functionality can be executed through the asfunction handler? Are there limitations to the calls that can be made?

With Flash being so common in web applications, problems like this are really interesting to dissect, academically exploit, and mitigate. It seems like investing some efforts into decompressing, modifying, and compressing SWFs won't be a time wasted. :)