OWASP 1 Flash Parameter Injection The OWASP Foundation OWASP 25/09/2008 Ayal Yogev Adi Sharabani IBM Rational Application Security.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Cross Site Scripting & SQL injection
HTML 5 and CSS 3, Illustrated Complete Unit K: Incorporating Video and Audio.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Video, audio, embed, iframe, HTML Form
EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
March Intensive: XSS Exploits
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Workshop 3 Web Application Security Li Weichao March
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
Chapter 5 Java Script And Forms JavaScript, Third Edition.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
A Security Review Process for Existing Software Applications
JavaScript, Fourth Edition
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Chapter 8 Cookies And Security JavaScript, Third Edition.
INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.
Using Client-Side Scripts to Enhance Web Applications 1.
Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
Cross Site Scripting and its Issues By Odion Oisamoje.
By Tharith Sriv. To write a web page you use: HHTML (HyperText Markup Language), AASP (Active Server Page), PPHP (HyperText Preprocessor), JJavaScript,
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
4. Javascript M. Udin Harun Al Rasyid, S.Kom, Ph.D Lab Jaringan Komputer (C-307) Desain.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
Creating Web Page Forms COE 201- Computer Proficiency.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Introduction to Javascript. What is javascript?  The most popular web scripting language in the world  Used to produce rich thin client web applications.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
CSCE 548 Student Presentation Ryan Labrador
Unit 20 - Client Side Customisation of Web Pages
HOW FLASH WORKS The Flash authoring environment is used to create Flash movies The .fla file is exported to a format called .swf The .swf file is.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:
Static Detection of Cross-Site Scripting Vulnerabilities
A Security Review Process for Existing Software Applications
4. Javascript Pemrograman Web I Program Studi Teknik Informatika
Active Man in the Middle Attacks
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Cross-Site Scripting Attack (XSS)
Presentation transcript:

OWASP 1 Flash Parameter Injection The OWASP Foundation OWASP 25/09/2008 Ayal Yogev Adi Sharabani IBM Rational Application Security {ayal, adish}

OWASP 2 Agenda  Flash 101  Flash Security  The Problem  Flash Parameter Injection  Real Example  Testing

OWASP 3 F lash 101

OWASP 4 Background  Introduced in 1996  Adds animation and interactivity to Web pages  Contains a scripting language: Action Script  Very popular –Installed in over 99% of PCs  Advanced technologies: –Flex –Adobe AIR

OWASP 5 My Flash Movie My Flash Movie Accessing Flash movies  Can be embedded in HTML pages Host (Browser) Flash Player Flash Movie (SWF)

OWASP 6 Accessing Flash movies  Can be embedded in HTML pages  Can be accessed directly – –A “dummy” HTML page may be created (browser dependant) –DOM access according to policy –Example (Firefox): <embed width="100%" height="100%“ name="plugin" src=" type="application/x-shockwave-flash"/> <embed width="100%" height="100%“ name="plugin" src=" type="application/x-shockwave-flash"/>

OWASP 7 Global Flash Variables  Action Script supports Global Variables  Global Variables can be assigned from outside the movie  Common use: if (_root.myparam == undefined) { _root.myparam = “my default value”; } if (_root.myparam == undefined) { _root.myparam = “my default value”; }

OWASP 8 <object type="application/x-shockwave-flash" data=" " width="600" height="345"> <object type="application/x-shockwave-flash" data=" " width="600" height="345"> Global Flash Variables  Action Script supports Global Variables  Global Variables can be assigned from outside the movie  Assigning Global Variables as parameters –Direct Reference –Embedded URI –Flash Attributes movie.swf?a=5&b=hello

OWASP 9 width="600" height="345"> <object type="application/x-shockwave-flash" data="movie.swf? " Global Flash Variables  Action Script supports Global Variables  Global Variables can be assigned from outside the movie  Assigning Global Variables as parameters –Direct Reference –Embedded URI –Flash Attributes <object type="application/x-shockwave-flash" data="movie.swf" flashvars=" " a=5&b=hello

OWASP 10 lash S ecurity

OWASP 11 Previous Research  Bypassing JavaScript Filters – the Flash! Attack Eye on Security, August 2002  Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach Scan Security Wire, April 2003  Testing Flash Applications Stefano Di Paola, May 2007  Finding Vulnerabilities in Flash Applications Stefano Di Paola, November 2007

OWASP 12 Controlling Global Flash Variables can result in...  Cross-Site Flashing  Cross-Site Scripting through Flash  Phishing  Flow Manipulation  …

OWASP 13 Cross-Site Flashing  A vulnerable movie is tricked into loading a malicious movie  The malicious movie gets access to the same sandbox  Can be achieved using methods like loadMovie*:  Attack Vector Flash Player Flash Movie Flash Player Malicious Flash if (_root.movieURI == undefined) { _root.movieURI = " } loadMovieNum(_root.movieURI, 1); if (_root.movieURI == undefined) { _root.movieURI = " } loadMovieNum(_root.movieURI, 1);

OWASP 14 Cross-Site Scripting through Flash  Classic XSS using a vulnerable Flash file  Can be triggered by the use of global flash variables in: –getURL using payload javascript:alert('XSS') –Load* functions using payload asfunction:getURL,javascript:alert('XSS') –TextField.htmlText using payload –...

OWASP 15 Cross-Site Scripting through Flash (Example)  Consider movie.swf containing the code: if (_root.url == undefined) { _root.url = " } getURL(_root.url); if (_root.url == undefined) { _root.url = " } getURL(_root.url);

OWASP 16 Normal Usage

OWASP 17 Normal Usage

OWASP 18 Normal Usage

OWASP 19 Cross-Site Scripting through Flash (Example) Attack Vector: if (_root.url == undefined) { _root.url = " } getURL(_root.url); if (_root.url == undefined) { _root.url = " } getURL(_root.url);

OWASP 20 Cross-Site Scripting through Flash (Example)

OWASP 21 Cross-Site Scripting through Flash (Example)

OWASP 22 Cross-Site Scripting through Flash (Example)

OWASP 23 T he P roblem

OWASP 24 The Missing Link  Flash cannot always load without the original HTML  Flash movies may rely on parts of the DOM to execute –Use JavaScript variables and methods –Use HTML Dom elements  Direct access to flash may be restricted due to security Host (Browser) Flash Player Flash Movie (SWF) Host (Browser) Flash Player Flash Movie (SWF)

OWASP 25 The Missing Link - Example

OWASP 26 The Missing Link - Example

OWASP 27 The Missing Link - Example

OWASP 28 The Missing Link - Example

OWASP 29 The Missing Link - Example

OWASP 30

OWASP 31 Known examples of Flash attacks involve accessing the movie directly

OWASP 32 BUT… Some Flash movies cannot load when accessed directly

OWASP 33 FPI Injecting global variables into Flash in its original HTML environment

OWASP 34 FPI T echniques

OWASP 35 Reflected FPI  Possible when the location of the Flash movie is retrieved through a URL parameter:  Attack example: # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="'. $params{movie}. '"> '; # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="'. $params{movie}. '"> '; <object type="application/x-shockwave-flash" data=" "> '; <object type="application/x-shockwave-flash" data=" "> '; movie.swf?globalVar=e-v-i-l

OWASP 36  Attack possible when global flash variables are received from HTML parameters without sanitization:  Attack occurs when victim is lured to click on a link line: # Read the 'language' parameter my $language = $params{language}; # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="movie.swf" flashvars="language='. $language.replace(’"’,’’). '"> '; # Read the 'language' parameter my $language = $params{language}; # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="movie.swf" flashvars="language='. $language.replace(’"’,’’). '"> '; Reflected FPI (Piggybacking FlashVars) English%26globalVar=e-v-i-l … <object type="application/x-shockwave-flash" data="movie.swf" flashvars="language= "> … %26 is decoded to & English&globalVar=e-v-i-l

OWASP 37 # Embed the flash movie print " "; # Embed the flash movie print " "; <object type='application/x-shockwave-flash' data='movie.swf' width=' '> <object type='application/x-shockwave-flash' data='movie.swf' width=' '> FlashVars Injection  Possible when an attribute of object tag is received as a parameter:  Attack vector: 600%27%20flashvars=%27globalVar=e-v-i-l 600' flashvars='globalVar=e-v-i-l Decode values

OWASP 38 DOM Based FPI  document.location is used as a global Flash variable: var s = ''; var loc = encodeURI(document.location); s += ' '; document.write(s); var s = ''; var loc = encodeURI(document.location); s += ' '; document.write(s);

OWASP 39 DOM Based FPI (continued)  Attack vector:  The global variable is injected into the Flash movie embedded inside the DOM: <embed src="movie.swf" flashvars="location= ">

OWASP 40 DOM Based FPI (continued)  JavaScript function encodeURI is not sufficient in this case –Can prevent DOM based XSS but not DOM Based FPI –Does not encode all characters (e.g. ‘&’,’?’) –encodeURIComponent, escape or similar methods must be used –Appropriate encoding must be used (depending on context)  Attack is invisible to IDS and IPS –Data following ‘#’ is not sent to the server (‘?’ also works, but data following it is sent to the server)

OWASP 41 Persistent FPI  Shared local Flash objects (a.k.a. Flash cookies) –Used to store persistent data across multiple sessions and save Flash state  Storing shared local Flash objects: // Create a shared object mySharedObject = SharedObject.getLocal("sharedObjName"); // Store data in the shared object mySharedObject.data.name = "jsmith"; mySharedObject.data.homepage = " // Flush mySharedObject.flush(); // Create a shared object mySharedObject = SharedObject.getLocal("sharedObjName"); // Store data in the shared object mySharedObject.data.name = "jsmith"; mySharedObject.data.homepage = " // Flush mySharedObject.flush();

OWASP 42 Persistent FPI (continued)  Loading shared local Flash objects: // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal("sharedObjName"); // Check whether variable name exists if (mySharedObject.data.name == null) { // Shared object doesn't exist } else { // Read the name name = mySharedObject.data.name; // Read the homepage homepage = mySharedObject.data.homepage; } // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal("sharedObjName"); // Check whether variable name exists if (mySharedObject.data.name == null) { // Shared object doesn't exist } else { // Read the name name = mySharedObject.data.name; // Read the homepage homepage = mySharedObject.data.homepage; }

OWASP 43 Persistent FPI (continued)  Shared local Flash object is controlled by user input  Object is used inside the getURL method // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal(“urlToLoad"); // Check whether there is a shared object saved if(mySharedObject.data.url == null) { // Store the URL in a shared object mySharedObject.data.url = _root.inputURL; } // Get the URL getURL(mySharedObject.data.url); // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal(“urlToLoad"); // Check whether there is a shared object saved if(mySharedObject.data.url == null) { // Store the URL in a shared object mySharedObject.data.url = _root.inputURL; } // Get the URL getURL(mySharedObject.data.url); Host (Browser) Flash Player Flash Movie Flash Player Flash Movie

OWASP 44 Persistent FPI (continued)  After the first infection, XSS will be executed every time the movie is loaded  Attack can persist after vulnerability is fixed  IDS or IPS will only be able to detect initial infection

OWASP 45 Example CVE , CVE

OWASP 46 Adobe Presenter FPI Vulnerability  Illustration of the automatically created HTML: function showFlash(swf, w, h, loop) { var myLocation = document.location; //... s += '<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = document.location; //... s += '<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = encodeURI(document.location); //... s += '<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = encodeURI(document.location); //... s += '<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); }

OWASP 47 Adobe Presenter FPI Vulnerability (continued)  Movie Viewer.swf vulnerable to XSS through Flash: –Global parameter _url with payload “javascript:alert(‘XSS’)” –Global parameter baseurl with payload “asfunction:getURL,javascript:alert(‘XSS’)” –Works in Flash Player version 9,0,47,0 on both IE and Firefox  DOM based FPI allows the Flash to load within original HTML –Invisible to IPS/IDS  Vendors must recompile their Flash files to fix the problem

OWASP 48 Testing

OWASP 49 Testing  Identify controlled Flash parameters: –Query parameters (from HTML) –FlashVars (from HTML) –Uninstantiated variables (from Action Script)  Locate potentially dangerous code: –Where controlled Flash parameters are used inside methods like: getURL, loadMovie, etc. –Save sequences leading to potentially dangerous code –Associate with parameter

OWASP 50 Testing (continued)  Mutation - Inject values into the parameters –XSS: javascript:window.open(‘ –XSF: –Phishing:  Validation –Play relevant sequences belonging to mutated parameter –Verify test results –Browser events –Action Script level Test Flash movie within its original HTML environment

OWASP 51 More details  IBM Rational Application Security Insider Blog: (Containing presentation and whitepaper) –  Flash movie demonstrating XSF and XSS through Flash –  Contact: –Ayal Yogev (Senior Security Researcher): ayal –Adi Sharabani (Security Research Group Manager): adish

OWASP 52 Questions? Flash

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.