Looking for resources to explain a security risk [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

We don’t allow questions seeking recommendations for books, to开发者_如何学Gools, software libraries, and more. You can edit the question so it can be answered with facts and citations.

Closed 7 years ago.

Improve this question

I've a developer which has given users the ability to download a zip archive which contains an html document which references a relative javascript file and flash document. The flash document accepts as one of it's parameters a url which is embedded in the html document. I believe that this archive is meant to be used as a means to transfer an advertisement to someone who would use the source to display the ad on their site, however the end user appears to want to view it locally.

When one opens the html document the flash document is presented and when the user clicks on the flash document it redirects to this embedded url. However, if one extracts the archive on the desktop and opens the html document in a browser and clicks the flash object, nothing observable happens, they will not be redirected to the external url.

I believe this is a security risk because one is transferring from the local computer zone to an external zone.

I'm trying to determine the best way to explain this security risk in the simplest of terms to a very end user. They simply believe it's "broken" when it's not broken, they're being protected from a known vulnerability.

The developer attempted to explain how to copy the files to a local iis instance, which I highly doubt is running on the users machine, and I do not consider this to be a viable explanation.

---

I don't think this is an issue. Being able to go in the opposite direction, that is execute script originating from a Remote zone to the local zone is called "Cross Zone Scripting". In fact the most recent 0-day against IE uses cross zone scripting to get remote code execution.

If you look at the restrictions for Adobe Air you can see that its less restrictive that the Same Origin Policy when it comes to accessing remote resources. I can not think of a scenario in which this would be valuable to an attacker. Especially when comparing to other locally run code, such as a executable written in C++.

---

Would this be useful? It seems to imply that when it blocks local content, the user gets a notification as such, but it sounds like it's just failing silently.