Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

Finding Vulnerabilities in Flash Applications Stefano Di Paola CTO MindedSecurity [email_address] +393209495590

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],$ Whoami^J

Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object]

Objectives ,[object Object],[object Object],[object Object],[object Object]

Flash Apps - Security Concerns ,[object Object],[object Object],[object Object],[object Object],[object Object]

SWF Client Side Attacks ,[object Object],[object Object],[object Object],[object Object],[object Object]

Cross Site Flashing (XSF) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Accomplishing an Attack using flawed SWF ,[object Object],<html> <body marginwidth="0" marginheight="0"> <embed width="100%" height="100%" name="plugin" src="http://Url/To/Swf" type="application/x-shockwave-flash"/> </body> </html>

Attack Example to a Flawed SWF ,[object Object],[object Object],[object Object],v1.loadv = function () { this.varTarget = new MovieClip(); _root.createEmptyMovieClip('varTarget', 10); var v2 = new XML(); v2.load( _root.test ); };

Accomplish an attack ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

The Attack Flow We will see the dangerous mechanisms that could lead to Client Side Attacks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Register Globals in ActionScript ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],if (_root.language != undefined) { Locale.DEFAULT_LANG = _root.language; } v5.load(Locale.DEFAULT_LANG + '/player_' + Locale.DEFAULT_LANG + '.xml');

Register Globals in Included Files 1/2 ,[object Object],[object Object],/* Level0 Movie */ _level0.DEMO_PATH = getHost(this._url); loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'upperlev.swf', (_level0.demo_level + 1)); .... /* Level1 Movie ' upperlev.swf ' */ .... loadMovieNum( _level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......

Register Globals in Included Files 2/2 ,[object Object],[object Object],/* Level1 Movie ' upperlev.swf ' */ .... loadMovieNum( _level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......

Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Attack Patterns – Quick Reference ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Attack Patterns – Quick Reference ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Attack Patterns – GetURL New Issue ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],getURL('javascript:SomeFunc( “ someValue ” )','','GET') ,[object Object],[object Object]

Attack Patterns – ExternalInterface New Issue ,[object Object],[object Object],public static call(methodName:String, [parameter1:Object]) ,[object Object]

External Interface Attack ,[object Object],[object Object],[object Object],flash.external.ExternalInterface.call( _root.callback ) __flash__toXML( (new Function( “ alert( ‘ Xss ’ ) ” )) ())

Attack Patterns – Font New Issue ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Modify the Data Flow 1/4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Modify the Data Flow 2/4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Modify the Data Flow 3/4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Modify the Data Flow 4/4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recipe for Runtime Analysis ,[object Object],[object Object],[object Object],[object Object]

Find Undefined Vars @ Runtime ,[object Object],[object Object],[object Object],[object Object],_ root.__resolve = function (name){ // name is undefined }

Attack Patterns Array ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

A SWF Container ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Conclusions ,[object Object],[object Object],[object Object]

Thank you :) Questions? ,[object Object],[object Object],[object Object]

Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (6)

Similar to Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

Similar to Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps (20)

Recently uploaded

Recently uploaded (20)

Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps