Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byBrayden Thornes Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Test.Security(Flash); Lavakumar K GISA, Royal Bank of Scotland lavakumark@gmail.com 21 st March, 2009

2 OWASP About me: Have been doing security auditing for 3 years Performed more than 100 penetration tests Perl and C# programmer I write code for pleasure And break code at work 2

3 OWASP 3 Imagine you are testing a web application and it has flash content. What would you do? a)Ignore the flash content b)Enjoy the flash videos and get back to testing the rest of the application c)Badmouth the developers for using silly programs like flash in a serious application d)Include the flash app in your test scope If you answer is a/b/c then listen carefully…

4 OWASP Agenda Introduce the bare minimum that every developer and Penetration tester should know about flash security 4

5 OWASP What is Flash Multimedia platform from Adobe(Macromedia) Ideal for animations and graphics Files have.swf extension Flash embedded in web pages is played by the Flash player plug-in of the browser 5

6 OWASP The moment of truth Who hasnt played flash games at work???? 6

7 OWASP Logic in Flash 7 Logic can be built in to Flash applications with ACTIONSCRIPT Actionscript is the programming language for Flash applications This is what powers your favorite flash game. ActionScript 3.0 is the latest version. We will talk about ActionScript 2.0, its more widely used

8 OWASP Flash is powerful Flash applications can: Send HTTP requests to third-party domains Create XML socket connections Store data on the file system permanently (LocalSharedObjects) Can access the DOM of the page Execute JavaScript 8

9 OWASP Areas of focus Cross-site scripting in flash Cross-site Flashing Crossdomain concerns Sensitive data storage Encryption in flash Attacking the server 9

10 OWASP _global and _root objects Attributes of _global and _root objects are represented as: _root.variableName _global.variableName If these are undefined then they can be initialized from the querystring 10

11 OWASP Example: Actionscript source of demo.swf: class Demo { static var app : Demo; function Demo() { if (_root.url != undefined ) { getURL(_root.url); } // entry point static function main(mc) { app = new Demo(); } In this example the value of _root.url can be initalised from the querystring: http://10.10.10.10/flash/demo.swf?url=http://www.owasp.org 11

12 OWASP Cross-site scripting In the previous example if the user enters javascript:alert(1) as the URL then script execution is possible User enters: http://10.10.10.10/flash/demo.swf?url=javascript:alert(1)// Passed to the getURL function: getURL(javascript:alert(1)//); - Cross-site scripting 12

13 OWASP Vulnerable functions a.k.a PDNF All these functions take URL as an input parameter. To exploit, inject the URL parameter with: asfunction:getURL,javascript:evilcode Eg: http://victim/file.swf?URL=asfunction:getURL,javascript:evilcode 13 loadMovie() getURL() loadMovie() loadMovieNum() FScrollPane.loadScrollContent() LoadVars.load() LoadVars.send() XML.load () LoadVars.load ( ) Sound.loadSound( ); NetStream.play();

14 OWASP Other means of Cross-site scripting Text fields in flash can be injected with HTML textfield.html = true textfield.htmlText = flash.external.ExternalInterface.call(); This function can call JavaScript methods. Method Description: public static call(methodName:String, [parameter1:Object]) : Object 14

15 OWASP Cross-site flashing (XSF) According to the OWASP testing guide: XSF Occurs when from different domains: One Movie loads another Movie with loadMovie* functions or other hacks and has access to the same sandbox or part of it XSF could also occurs when an HTML page uses JavaScript to command an Adobe Flash movie, for example, by calling: GetVariable: access to flash public and static object from JavaScript as a string. SetVariable: set a static or public flash object to a new string value from JavaScript. Could lead to leakage of data or manipulation of the normal functioning of the flash file. 15

16 OWASP Cross Domain concerns Crossdomain.xml Allowscriptaccess Localconnection security.allowDomain() 16

17 OWASP Crossdomain.xml Its a policy file that allows SWF files from external domains to make HTTP calls to this domain Sample Crossdomain.xml file: 17

18 OWASP How it works 18 User is logged in to www.a.com User visits www.b.comwww.b.com and a SWF file is loaded www.a.com Web server Browser http://www.a.com/profile.jsp www.a.comwww.a.com Cookie HTTP 200 OK : profile.jsp

19 OWASP Crossdomain.xml Sites relying on cookies for session management should be careful about allow external sites Never use the universal allow wildcard - * - Dangerous!! Even sites on the intranet should have strict crossdomain.xml files Secure attribute should always be set for HTTPS content Permitted-cross-domain-policies should always be set to master-only 19

20 OWASP Allowscript access Embedding swf files in HTML 20

21 OWASP What it does The value of this setting determines the script access to the SWF Possible values: never – No script access allowed.(Deprecated) sameDomain – SWF from same domain have script access always – SWFs from external domains also have script access – Dangerous!! 21

22 OWASP Localconnection Used for interprocess communication between flash files One flash file can call methods in another flash file using this even if they are from different domains Access control is enforced using the LocalConnection.allowDomain() method LocalConnection.allowDomain(*) allows SWF files from all domain – Dangerous!!

23 OWASP Security.allowDomain() Normally SWF loaded from www.a.com cannot access the variable, objects, properties and methods of SWF loaded from www.b.comwww.a.comwww.b.com But Security.allowDomain() can be used to bypass this security restriction. HTTP to HTTPS restriction can be overcome using System.security.allowInsecureDomain() - Dangerous!! System.security.allowDomain("*") – Dangerous!! 23

24 OWASP Sensitive data storage Any hard-coded password or other sensitive information in the SWF file is a major risk SWF files can be decompiled easily SharedLocalObjects are like cookies in flash They are used to store information on the client- side This information is stored in clear-text HTTP to HTTPS access is restricted with secure flag var mySO = SharedObject.getLocal("userInfo", null, false); - Dangerous!! 24

25 OWASP Flash decompilation with Flare Insecure.as Decompiling with flare.exe: C:\>flare.exe insecure.swf Insecure.flr 25 class Demo { static var app : Demo; function Demo() { var username = "administrator"; var password = "p@ssw0rd"; //--------------------------cut here -------------------------- movie 'talk.swf' { // flash 7, total frames: 1, frame rate: 20 fps, 800x600 px, compressed movieClip 20480 __Packages.Demo { #initclip if (!Demo) { _global.Demo = function () { var v2 = 'administrator'; var v3 = 'p@ssw0rd'; }; //--------------------------cut here --------------------------

26 OWASP Encryption in Flash Any attempts at client-side encryption is a bad idea Key has to be hard-coded and can be stolen Even if the SWF file uses HTTPS, serving the file over HTTP is very dumb!! Best way to ensure data security is to serve the SWF file over HTTPS If you see anything else happening then its surely a broken security model 26

27 OWASP Attacking the server There could be two-way communication between SWF file and the server Data form the SWF file could be used in SQL queries or other potentially dangerous system commands Since the data is coming from the SWF file, developers tend to consider it to be safe and fail to validate it properly Identify data sent to the server and fuzz them for common injection vulnerabilties 27

28 OWASP Credits, References and further reading OWASP testing guide V3 http://www.owasp.org/images/5/56/OWASP_Te sting_Guide_v3.pdf http://www.owasp.org/images/5/56/OWASP_Te sting_Guide_v3.pdf Creating more secure SWF web apps http://www.adobe.com/devnet/flashplayer/articl es/secure_swf_apps.html http://www.adobe.com/devnet/flashplayer/articl es/secure_swf_apps.html https://www.flashsec.org/ Stefano Di Paola, OWASP Flash Security Project Flare, http://www.nowrap.de/flare.htmlhttp://www.nowrap.de/flare.html 28

29 OWASP ? 29 Thank You

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Web 2.0 Programming 1 © Tongji University, Computer Science and Technology. Web Web Programming Technology 2012.

Web 2.0 Programming 1 © Tongji University, Computer Science and Technology. Web Web Programming Technology 2012.
3rd Annual Plex/2E Worldwide Users Conference Page based on Title Slide from Slide Layout palette. Design is cacorp 2006. Title text for Title or Divider.

3rd Annual Plex/2E Worldwide Users Conference Page based on Title Slide from Slide Layout palette. Design is cacorp Title text for Title or Divider.
© 2002 D & D Enterprises 1 Linking Images For Navigation & Clickable Image Maps.

© 2002 D & D Enterprises 1 Linking Images For Navigation & Clickable Image Maps.
Widget Summit: Advanced JavaScript Joseph Smarr Plaxo, Inc. October 16, 2007.

Widget Summit: Advanced JavaScript Joseph Smarr Plaxo, Inc. October 16, 2007.
Copyright © 2003 Pearson Education, Inc. Slide 8-1 Created by Cheryl M. Hughes, Harvard University Extension School Cambridge, MA The Web Wizards Guide.

Copyright © 2003 Pearson Education, Inc. Slide 8-1 Created by Cheryl M. Hughes, Harvard University Extension School Cambridge, MA The Web Wizards Guide.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Copyright CompSci Resources LLC 2009 1 Web-Based XBRL Products from CompSci Resources LLC Virginia, USA. Presentation by: Colm Ó hÁonghusa.

Copyright CompSci Resources LLC Web-Based XBRL Products from CompSci Resources LLC Virginia, USA. Presentation by: Colm Ó hÁonghusa.
Introduction to HTML, XHTML, and CSS

Introduction to HTML, XHTML, and CSS
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Overview Environment for Internet database connectivity

Overview Environment for Internet database connectivity
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Powerpoint Templates Page 1 Powerpoint Templates Server Side Scripting PHP.

Powerpoint Templates Page 1 Powerpoint Templates Server Side Scripting PHP.
1 What is JavaScript? JavaScript was designed to add interactivity to HTML pages JavaScript is a scripting language A scripting language is a lightweight.

1 What is JavaScript? JavaScript was designed to add interactivity to HTML pages JavaScript is a scripting language A scripting language is a lightweight.
The World Wide Web. 2 The Web is an infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that.

The World Wide Web. 2 The Web is an infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
DB Relay An Introduction. INSPIRATION Database access is WAY TOO HARD The crux.

DB Relay An Introduction. INSPIRATION Database access is WAY TOO HARD The crux.

Similar presentations

Ads by Google