Flashack

1,799 views
1,701 views

Published on

null Bangalore Chapter - June 2014 Meet

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,799
On SlideShare
0
From Embeds
0
Number of Embeds
802
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Flashack

  1. 1. asHack Exploiting Flash Applications Abir Banerjee n|u Bangalore – 14 June 2014
  2. 2. References • https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project • https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP- DV-004) • http://blog.watchfire.com/FPI.pdf • http://habrahabr.ru/post/182706/ • http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashA pplications.ppt • http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf • http://sethsec.blogspot.in/2014/03/exploiting-misconfigured- crossdomainxml.html • http://gursevkalra.blogspot.in/2013/08/bypassing-same-origin-policy-with- flash.html • http://www.andlabs.org/presentations/Test_Security_Flash.pdf • http://www.securityfocus.com/archive/1/441014/30/0/threaded
  3. 3. Introduction to Flash • Multimedia Software Platform which has provided the Web with power of graphics, animation, games and many Rich Internet Applications (RIAs) that can be viewed, played and executed in Adobe Flash Player • Flex -> Cousin of Flash which uses AS3 and helps in building complex & flexible business logic especially used for Rich Internet Applications • Browsers require Flash Plugins to play Flash Executable Files (SWF) embedded in web pages. • Flash applications can be programmed using object-oriented language called Action Script 2.0 / 3.0
  4. 4. Flash Myth? • Flash is Outdated, Dead, Attacks don’t work…etc. Is it true? • It will exist as long as browsers support it ! • Majority of the attacks are due to programming flaws
  5. 5. Flash Application Security Concerns • JavaScript execution is possible in Flash • Flash can be used to forge HTTP Headers • Exploiting Cross Domain policy misconfiguration • Flash + Clickjacking -> Leveraging for Camjacking ! • It can execute External Flash Movies • Flash can be Decompiled easily
  6. 6. Vulnerabilities in Flash Client Side Vulnerabilities • Cross-Site Scripting via Flash • Potentially Dangerous Native Functions (PDNF) • Cross-Site Flashing • Abusing HTTP Headers & Cross Domain Policies • Decompilation & Sensitive Data Storage Server Side Vulnerabilities • ActionScript Message Format (AMF) Tampering • Remote Calls, Service Enumeration, Injection etc.
  7. 7. Decompiling Flash • SWF files are interpreted by a virtual machine embedded in the player itself. Decompilers • HP SwfScan • Flare • Jpex Free Flash Decompiler • Sothink Decompiler • Flash Decompiler Trillix Impact • It can be easily decompiled & analyzed for checking insecure programming, hard coded credentials Mitigation • Sanitize user input, avoid hard coding of data, • Use de-obfuscation as a deterrence
  8. 8. Cross-Site Scripting (XSS) • A Flash SWF can access it’s host DOM depending on access policy • Flash SWF can modify the DOM of it’s host Impact • XSS attack on host DOM causing malicious script execution Mitigation • Sanitize user input
  9. 9. XSS Continued… _global and _root objects • Attributes of _global and _root objects are represented as: _root.variableName _global.variableName • Flashvars, Injection in HTML Text Fields • Unsafe Methods What is the Problem? • If variables are undefined then they can be initialized from the query string • Usage of Insecure Functions • Unsanitized Input Exploitation • Unsafe methods use URL as function -> can be called from query string • HTML Test Injection- Typical Payload – http://victim.com/victim.swf?asfunction:getURL,javascript:evilcode
  10. 10. Cross-Site Flashing • Cross-Site Flashing occurs when one SWF or movie loads another SWF or movie • It can be performed by forcing a flawed SWF to load an external evil flash file. • XSF can also be used in presence of Flash HTML Injection or external SWF Files when loadMovie* methods are used. Impact • This attack can lead to Phishing Attacks or loading malicious files Mitigation • Initialize Variables & Sanitize user input • Use Strict Cross Domain Policies • If not required, don’t allow external swf to be run as _level 0
  11. 11. Potentially Dangerous Native Function (PDNF) Vulnerable Functions in ActionScript 2.0 • getURL() • loadMovie() • loadMovieNum() • LoadVars.load() • LoadVars.send() • FScrollPane.loadScrollContent() • Sound.loadSound() • NetStream.play() • XML.load() What’s the Problem? • All of these functions take URL as an input parameter Mitigation • Initialize Variables and Sanitize user input
  12. 12. Abusing HTTP Headers • Flash has capability of sending Forged HTTP headers thereby allowing Header Injection Vulnerabilities How to use it? • Following Syntax is for ActionScript 2.0 for sending GET request to victim site say http://www.victim.com/page.php?p1=a&p2=b with an arbitrary header (Expect: <script>alert(1)</script>) For GET Request • var req:LoadVars=new LoadVars(); req.addRequestHeader(“Expect",“<script>alert(1)</script>"); req.send("http://www.victim.com/page.php?p1=a&p2=b", "_blank","GET"); For POST Request • var req:LoadVars=new LoadVars(); req.addRequestHeader(" Expect",“<script>alert(1)</script"); req.decode("a=b&c=d"); req.send(" http://www.victim.com/page.php?p1=a&p2=b ", "_blank","POST"); • The request is sent from the browser invoking the Flash object. Any cookies the browser normally sends, will be sent in those cases as well. The browser's User-Agent is sent, as well as all browser standard headers. HTTPS links are supported.
  13. 13. Cross Domain Access Policies • Crossdomain.xml - a policy file that allows SWF files from external domains to make HTTP calls to your domain Sample Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for mysite.com --> <cross-domain-policy> <!-- This is a master-policy file --> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="www.example.com" secure="true" /> <allow-access-from domain=“*.example.com“ /> </cross-domain-policy>
  14. 14. • Crossdomain.xml - a policy file that allows SWF files from external domains to make HTTP calls to your domain Good Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for mysite.com --> <cross-domain-policy> <!-- This is a master-policy file --> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="www.example.com" secure="true" /> <allow-access-from domain=“*.example.com“ /> </cross-domain-policy> Bad Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for mysite.com --> <cross-domain-policy> <!-- This is a master-policy file --> <site-control permitted-cross-domain-policies=“*"/> <allow-access-from domain=“*"/> </cross-domain-policy> Threat –If user A is logged in on www.abc.com and user visits www.def.com and a Malicious SWF file is loaded there, it can access your data on www.abc.com Mitigation – Never use “*” Cross Domain Access Policies
  15. 15. AllowScriptAccess <object id='MyMovie.swf' classid='clsid:D27CDB6E-AE6D-11cf-96B8- 444553540000' codebase='http://download.adobe.com/pub/shockwave/cabs/flash/swflash. cab#version=9,0,0,0' height='100%' width='100%'> <param name='allowScriptAccess' value=‘sameDomain'/> OWASP <param name='src' value=''MyMovie.swf'/> <embed name='MyMovie.swf' pluginspage='/go/getflashplayer' src='MyMovie.swf' height='100%' width='100%' allowScriptAccess=‘sameDomain'/> </object> Mitigation Do NOT use allowScriptAccess=‘*’ Cross Domain Access Policies
  16. 16. LocalConnection – Used for inter process communication between flash One Flash file can call methods of other flash file even if they are from different domains Access Control is enforced using- LocalConnection.allowDomain() method Mitigation • Do NOT use LocalConnection.allowDomain(‘*’) as it allows SWF files from all domain Cross Domain Access Policies
  17. 17. Security.allowDomain() Normally SWF loaded from www.a.com cannot access the variable, objects, properties and methods of SWF loaded from www.b.com but Security.allowDomain() can be used to bypass this security restriction. HTTP to HTTPS restriction can be overcome using System.security.allowInsecureDomain() - BAD IDEA!! System.security.allowDomain("*") – BAD IDEA!! Cross Domain Access Policies
  18. 18. Camjacking • Camjacking refers to hijacking of Camera using clickjacking in Flash
  19. 19. Thank You Questions or Feedback?

×