Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Automated Crawling & Security Testing of Flash/Flex Web Applications Ronen Bachar Organization: IBM Phone: /9/2008
OWASP 2 Agenda Introduction to Flash/Flex applications AMF High level description AMF data format and its usage Automated Flash Testing Challenges Automated Crawling Automated Testing Overview of security risks in Flash/Flex applications
OWASP 3 Flash/Flex Introduction Flash Developed by Macromedia (now Adobe) Flash is used to create animations, ads, and various Web components, to integrate video into web pages and, more recently, to develop RIA Can be consumed as web page element or standalone application Includes Scripting languages - Action Script 1, 2 & 3 Flash player Runs Flash content (SWF file format) Available as a plug-in for browsers (such as Mozilla Firefox and Internet Explorer) or as standalone application Each version is completely backward-compatible
OWASP 4 Flash/Flex Introduction (ctd.) Flex Flex provides a framework for developing RIAs that run in Flash Player Instead of forcing applications into the “animation” model, developers can program real applications using MXML (XML document) for layout user-interface components, and Action Script for programming Requires Flash Player v9 Same File Format (SWF) Supports only Action Script 3 AJAX-like attributes
OWASP 5 Flash/Flex Introduction (ctd.) When Flash movie is embedded in Web page: Flash DOM: interacts with DOM by executing JavaScript code JavaScript (HTML Host) Flash Object Host (Browser) Flash Player Flash Movie (SWF)
OWASP 6 Flash in HTML page
OWASP 7 AMF - ActionScript Message Format A binary message format Used primarily to exchange data between Flash/Flex application and server side component, by serializing Action Script data types NetConnection uses AMF to send messages to a server to asynchronously invoke remote services (RPC) AMF 0, 3 - require Flash Player 9 AMF protocol specification is available (see references) Understanding AMF format is crucial for manipulating (fuzzing) applications that use AMF
OWASP 8 AMF Format Description Version: 0, 3 Header(s): Header Name Data: Serialized data (binary) Message(s): Target URI: Service name/Response result Response URI: /id Data: Serialized data (binary)
OWASP 9 AMF Example Request (raw format) Request (decoded) Response (decoded)
OWASP 10 Challenges of Crawling Flash In order to properly test Flash/Flex-based applications, we have to crawl them Detect server-side end-points (new URLs) Detect client-side states and logic (Flash Application tree) We must play the Flash movie in its “native” context Flash movie runs in the original HTML page Browser - include JavaScript engine (for JS Flash interaction) Use Flash Player plug-in We must support dynamic content too (where script creates content on the fly), parsing is not enough!
OWASP 11 Challenges of Crawling Flash (Cont.) States in Flash application Navigation in Flash application Blind Crawling (soundless, no pop-ups, no visuals) Support inline movie too Since Flash Player is designed only to play movies, its programming interface is limited
OWASP 12 State Management in Flash applications Flash Applications are primarily based on animation. We encounter the following issues: How do we identify/define “application state”? How do we get the current state? Figuring out that the current state is over/idle? We define “state” as “GUI Object” container, i.e. Movie Clips, Buttons & Text Fields Heuristics & Flash Plug-in gives us hints that the player is “idle”
OWASP 13 Navigation in Flash Application Navigate Flash application in its native flow still hard to define correct “functional flow” Build application tree (each node represents a state) Get current state details (GUI Objects( Activate each GUI object according to type: Button – click on it, move mouse over a button area. TextField – fill it in MovieClip – click on it Navigating between states through Flash Unfortunately, navigating back is not trivial We need to store and play sequences
OWASP 14 Flash Application tree Root (State A) MC2 State C (State B) B1 B2 MC1 State FState EState D
OWASP 15 Identify controlled Flash parameters: Query parameters (from HTML) FlashVars (from HTML) Uninstantiated variables (from Action Script) getURL (clickTag,'_self') Locate potentially dangerous code: Where controlled Flash parameters are used inside PDNFs (getURL, loadMovie, loadVariables, etc.) Save sequences leading to potentially dangerous code Associate with parameter Testing Flash Applications
OWASP 16 Testing Flash Applications (ctd.) Mutation - Inject values to the parameters XSS: parm1=javascript:window.open(‘ XSF: param2= Phishing: param3= Validation Play relevant sequence belongs to mutated parameter Verify test results Browser events Action Script level
OWASP 17 Testing AMF Parameters Testing Server-side AMF-speaking end-points Using standard parameter tampering techniques on AMF message fields: XSS, SQLi, HTTP Response Splitting, Command Execution, Etc. ' having 1=1-- Original Request Mutated Request
OWASP 18 Overview of security risks in Flash/Flex applications XSS Through Flash Read & Write access to HTML page or javascript code XSF Read & Write access to SWF loader or HTML or javascript code Phishing Through Flash AMF Parameters XSS, SQLi Cross Domain Promiscuous Access Read & Write access to HTML page or javascript code
OWASP 19 Recommendations HTML Code “allowNetworking” set to ‘internal’ “allowScriptAccess” set to ‘samedomain’ Perform data validation on variables sent to URL functions Refining access with “crossdomain.xml” Use fscommand or ExternalInterface.call Instead of "javascript:” Compiler settings: Compile Flash movie for Flash Player 8 or latter Set Omit trace flag
OWASP 20 References Creating more secure SWF web applications: e_swf_apps.html e_swf_apps.html Adobe Flash Player 9 Security: _player_9_security.pdf _player_9_security.pdf AMF 0 Specification: pec_ pdf pec_ pdf AMF 3 Specification: pec_ pdf pec_ pdf Testing Flash Applications (Stefano Di Paola / OWASP): 7.pdf 7.pdf