CyberCode Academy

Course 38 - Web Security Known Web Attacks | Episode 5: SOP Fundamentals and SOME Attack Exploitation via Flash Callbacks


Listen Later

In this lesson, you’ll learn about: Same Origin Policy (SOP), its controlled exceptions, and how attackers exploit it using SOME via Flash callbacks1. What is the Same Origin Policy (SOP)🔹 Definition:
  • A core browser security rule that restricts how documents interact
🔹 Enforced in:
  • Web Browsers
🔹 Rule:
Two URLs can interact only if all match:
  • Protocol (HTTP / HTTPS)
  • Host (domain)
  • Port
👉 Key Insight
SOP prevents unauthorized access between different websites2. Why SOP Exists🔹 Purpose:
  • Protect user data (cookies, sessions, DOM)
🔹 Without SOP:
  • Any site could read or modify another site
👉 Key Insight
SOP is the foundation of web security isolation3. Soft Exclusions to SOP🔹 Allowed interactions:
  • embedding
  • postMessage API
🔹 Why they exist:
  • Enable cross-origin communication safely
👉 Key Insight
SOP is strict—but not absolute4. Introducing SOME (Same Origin Method Execution)🔹 Definition:
  • A technique to execute methods across windows using references
🔹 Related concept:
  • Reverse clickjacking
👉 Key Insight
SOME doesn’t break SOP—it works around it5. Role of Flash in SOME Attacks🔹 Technology involved:
  • Adobe Flash Player
🔹 Bridge:
  • ActionScript ↔ JavaScript
🔹 Key function:
  • ExternalInterface.call()
👉 Key Insight
Flash acts as a bridge to execute JS indirectly6. How Flash Callbacks Become Vulnerable🔹 Weakness:
  • Accept user-controlled input
🔹 Restrictions:
  • Often limited to:
    • Letters (a–z, A–Z)
    • Numbers (0–9)
    • Dot (.)
🔹 Still dangerous because:
  • Can call existing JS functions
👉 Key Insight
Limited input ≠ safe input7. SOME Attack Lifecycle🔹 Step-by-step:
  1. Victim visits attacker page
  2. Malicious page opens new tab
  3. Uses window.opener reference
  4. Parent tab redirected to target site
  5. Payload executes via callback
👉 Key Insight
Attack uses tab relationships + timing8. DOM Manipulation via SOME🔹 Target:
  • Document Object Model (DOM)
🔹 What attacker can do:
  • Trigger clicks
  • Submit forms
  • Change UI state
👉 Key Insight
User actions are simulated without consent9. Real-World Example: WordPress Exploit🔹 Platform:
  • WordPress
🔹 Vulnerability:
  • Flash file (video-js.swf) with weak callback
🔹 Attack outcome:
  • Plugin activated automatically
👉 Key Insight
Even mature platforms can have legacy weak points10. Bypassing Filters🔹 Challenge:
  • Only alphanumeric + dot allowed
🔹 Solution:
  • Call existing functions like:
    • window.opener.someFunction
👉 Key Insight
Attackers reuse existing trusted functions11. Chaining Actions🔹 Advanced technique:
  • Open multiple tabs
🔹 Result:
  • Simulate complex workflows:
    • Activate plugin
    • Delete files
    • Change settings
👉 Key Insight
Simple actions can be chained into full compromise12. Why SOME is Powerful🔹 Works when:
  • XSS is blocked
  • CSRF is mitigated
🔹 Because:
  • Uses legitimate browser behavior
👉 Key Insight
Security controls can be bypassed via unexpected paths13. How to Prevent SOME Attacks🔹 Remove legacy risks:
  • Disable Flash completely
🔹 Secure callbacks:
  • Validate inputs strictly
  • Avoid dynamic execution
🔹 Protect windows:
  • Use rel="noopener noreferrer"
👉 Key Insight
Modern security = eliminate legacy + validate everything14. Big PictureYou are learning:👉 How SOP protects—but also limits
👉 How attackers abuse allowed behaviors
👉 Why legacy tech (Flash) is dangerousMental ModelSOP restriction → allowed exceptions → weak callback → window reference → method execution → silent attack

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
...more
View all episodesView all episodes
Download on the App Store

CyberCode AcademyBy CyberCode Academy