此类漏洞也是程序员很少注意的问题。

Flash的XSS也是很早就有人关注了，OWASP里还专门有一个扫Flash XSS的工具，叫做swfintruder

最近有人也报了一个常见的flash xss，利用 _root.clickTAG 这个变量

一般是出在 getURL() 函数里。发现者说(google搜出来的)：Recently, 12th of November 2008, I found XSS vulnerabilities in 215000 flash files.

原文引用如下：

XSS:

Vulnerability in the next AS code:

getURL(_root.clickTAG, "_blank");

Attack occurs via passing of XSS code to flash file in parameter clickTAG:

('XSS')

After click on flash the transfer to function occurs of getURL string, which passed to flash via parameter clickTAG. Thus can be executed JS code, which was passed to flash.

At

('XSS')

Note, that flashes with target = “_blank” (in getURL) not allow to get to cookies. And they also not work in IE6. If target set to not “_blank” (or not set at all), then flashes give possibility to get to cookies in all browsers (and they work in IE6).


相关参考链接：
http://www.webappsec.org/lists/websecurity/archive/2008-11/msg00110.html


http://websecurity.com.ua/2609/