Comments on: Flash XSS Protection For Users

By: TikaL

TikaL — Fri, 08 Feb 2008 11:56:01 +0000

@Giorgio:

Thanks for the clarification.

By: Giorgio

Giorgio — Wed, 06 Feb 2008 14:02:07 +0000

@TikaL:
Flash XSS can do anything a “traditional” JavaScript XSS can do, from credential theft to session riding (impersonating yourself across the current session) to complex CSRF despite anti-CSRF protections which may be implemented on the target web site.

By: TikaL

TikaL — Tue, 05 Feb 2008 10:50:55 +0000

I wanted to know what kind of damage can be done by this type of intrusion? I use Flash on almost a daily basis. i Might not be keeping up with what can be done… but this is interesting to me.

Thanks,

TikaL

By: Giorgio

Giorgio — Sat, 12 Jan 2008 06:21:27 +0000

@Mobile:
You just need to click on the placeholder for the document — after all, you’re most likely going to click on the document itself anyway, e.g. for scrolling it.

However, an exception list for the Forbid Other Plugins options (which, if checked, is currently catching PDFs too) is definitely coming in a future release.

By: Mobile

Mobile — Fri, 11 Jan 2008 20:59:44 +0000

I’m an avid user of Noscript, the program designed for firefox.

Well, since some Noscript updates that were installed, I noticed that embedded Adobe pdf files were disabled by default. Browsing through the Nosctipt options, I saw that Adobe flash extensions were untrusted.

As a student, using the internet as a source of information is very necessary and i encounter adobe pdf files very often. So, may I request that Noscript has a seperate choice for adobe pdfs in some future updates? cause it would be great for me, and I will not have to click “allow” all the time. I’m also sure that there are many users out there that will share my inconvenience.

Thank you for listening to some irritating person,

Yours.