Ferruh Mavituna, profile picture
Uploaded byFerruh Mavituna
PPS, PDF598 views

Flash Security

This document discusses security issues related to Flash applications and cross-domain access. It covers how the crossdomain.xml file controls cross-domain access and demonstrates how this can be exploited. Attack surfaces like global parameters, external resources, and HTML text areas are described. The document recommends limiting JavaScript access in embedded Flash, ensuring configurations and external resources come from trusted domains, and sanitizing data in HTML text areas.

Embed presentation

Downloaded 63 times
Attacking and defending Flash Applications
Flash Security I’ll talk about; RIA, Web 2.0 and Security What is Crossdomain.xml? Why does it exist? Only problem about Flash : XSS XSS and Impact of XSS Attacks Attack Surface of Flash Applications   Global Parameters   External Resources Same-origin Policy and Flash Embedding High Security Required Applications and Flash Not going to talk about these, at least not today; Server-side Flash Security Attacking users via Flash Flash Vulnerabilities
RIA, Web 2.0 and Security Complexity is the worst enemy of security Every new component in the browser is a new threat AJAX, Silverlight, AIR, Flash, Java, Myspace Upload ActiveX etc. All of these are potential security problems. Every new technology comes with new style of development and it takes time to have secure “best practices”.
Crossdomain.xml & Same-Origin Policy Same-Origin Policy Why Cross-domain access is a bad thing? Examples ... Cookie, XMLHTTP Requests, Javascript etc. Flash and Crossdomain.xml
A Quite Naïve Crossdomain.xml File <cross-domain-policy>     <allow-access-from domain=&quot;*&quot; secure=&quot;false&quot;/> </cross-domain-policy>
Demo Stealing information via Flash by exploiting Crossdomain.xml trust. http: //e xamplebank.com http://attacker.com/
XSS Tunnelling? Tunnelling HTTP tarffic through XSS channels. Allows to bypassing IP Restrictions, VPN, basic auth etc.
Attack Surface of Flash Global Parameters Flashvars Querystring LoadVars Configuration Files Dynamically loaded Flash Animations
Global Parameter Modification Who are these global parameter s? _root. _global. _level0.
Flash Embedding Limit Flash file’s access by setting Allowscriptaccess attribute to “noaccess” while embedding an external Flash animation.
getURL() getURL problems getURL( “ javascript: alert(1)” )
HTML Text Area If HTML enabled in the textareas and if the data loaded up dynamically http://example.com/XSS/riaac3.swf?_Ghtml=<img%20src=&quot;javascript:alert(1)//.jpg&quot;>
LoadClip, xml.load Are external resources secure? Hardly coded or configuration files coming from a secure place? You should check for configuration location and should not this from the user input.
Flash usage in highly security required systems Why it can be a problem? Increased attack surface
Sum it up! You should limit Flash’s JavaScript access while embedding external Flash files.
Sum it Up! Loaded configurations should be coming from trusted domains, Loaded external resources should be coming from trusted domains.
Sum it Up! When you are using Htmltext be sure that loaded data is sanitised and encoded.
References, Resources and Tools Flashsec Wiki OWASP – Finding Vulnerabilities in Flash Applications SWFIntruder Flare and similar decompiler s
Thanks ...

More Related Content

PDF
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
byTrivadis
 
PPT
Why You Need A Web Application Firewall
byPort80 Software
 
PDF
Web Development Security
byRafael Monteiro
 
PDF
Benefits of Web Application Firewall
bydavidjohnrace
 
PDF
Content Security Policy - Lessons learned at Yahoo
byBinu Ramakrishnan
 
PPTX
ZeroNights2013 testing of password policy
byAnton Dedov
 
PPTX
Web Application Security
byNelsan Ellis
 
PPTX
Devouring Security XML Attack surface and Defences
bygmaran23
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
byTrivadis
 
Why You Need A Web Application Firewall
byPort80 Software
 
Web Development Security
byRafael Monteiro
 
Benefits of Web Application Firewall
bydavidjohnrace
 
Content Security Policy - Lessons learned at Yahoo
byBinu Ramakrishnan
 
ZeroNights2013 testing of password policy
byAnton Dedov
 
Web Application Security
byNelsan Ellis
 
Devouring Security XML Attack surface and Defences
bygmaran23
 

What's hot

KEY
mod_security introduction at study2study #3
byNaoya Nakazawa
 
PPT
OWASP Serbia - A3 broken authentication and session management
byNikola Milosevic
 
PPTX
Application Security - Myth or Fact Slides
bydfgrumpy
 
PPTX
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
byElsner Technologies Pvt Ltd
 
PDF
QualysGuard InfoDay 2013 - Web Application Firewall
byRisk Analysis Consultants, s.r.o.
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
byAnant Shrivastava
 
PPTX
Don't get stung - an introduction to the OWASP Top 10
byBarry Dorrans
 
PDF
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
PPTX
Secure HTTP Headers c0c0n 2011 Akash Mahajan
byAkash Mahajan
 
PDF
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
PPTX
Chapter1:information security overview
byDr.Sami Khiami
 
PPTX
Spring Security
byBoy Tech
 
PDF
Cyber security considerations for Small and Medium Businesses
byebusinessmantra
 
PDF
[OWASP Poland Day] OWASP for testing mobile applications
byOWASP
 
PPTX
Spring security
bySaurabh Sharma
 
PPT
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
PDF
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
byAcodez IT Solutions
 
PPTX
[OWASP Poland Day] Application security - daily questions & answers
byOWASP
 
PDF
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
byAnant Shrivastava
 
mod_security introduction at study2study #3
byNaoya Nakazawa
 
OWASP Serbia - A3 broken authentication and session management
byNikola Milosevic
 
Application Security - Myth or Fact Slides
bydfgrumpy
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
byElsner Technologies Pvt Ltd
 
QualysGuard InfoDay 2013 - Web Application Firewall
byRisk Analysis Consultants, s.r.o.
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
byAnant Shrivastava
 
Don't get stung - an introduction to the OWASP Top 10
byBarry Dorrans
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
byAkash Mahajan
 
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
Chapter1:information security overview
byDr.Sami Khiami
 
Spring Security
byBoy Tech
 
Cyber security considerations for Small and Medium Businesses
byebusinessmantra
 
[OWASP Poland Day] OWASP for testing mobile applications
byOWASP
 
Spring security
bySaurabh Sharma
 
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
byAcodez IT Solutions
 
[OWASP Poland Day] Application security - daily questions & answers
byOWASP
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
byAnant Shrivastava
 

Similar to Flash Security

PPT
Flash Security, OWASP Chennai
bylavakumark
 
PPTX
Top security threats to Flash/Flex applications and how to avoid them
byElad Elrom
 
PDF
Flashack
byn|u - The Open Security Community
 
PPT
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
byguestb0af15
 
PDF
FIRM: Capability-based Inline Mediation of Flash Behaviors
byEMC
 
PPT
Web Application Security
byChris Hillman
 
PPTX
Cross Domain Hijacking - File Upload Vulnerability
byRonan Dunne, CEH, SSCP
 
PDF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
byMark Stanton
 
PPT
Hacking The World With Flash
byjoepangus
 
PPT
Web Application Testing for Today’s Biggest and Emerging Threats
byAlan Kan
 
PDF
The old is new, again. CVE-2011-2461 is back!
byLuca Carettoni
 
PDF
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
PPT
Intro to Web Application Security
byRob Ragan
 
PDF
Ajax Security
byJoe Walker
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
PDF
Analysis of web application worms and viruses
byUltraUploader
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPT
(In)Secure Ajax-Y Websites With PHP
bychw
 
PPT
gofortution
bygofortution
 
PDF
C01461422
byIOSR Journals
 
Flash Security, OWASP Chennai
bylavakumark
 
Top security threats to Flash/Flex applications and how to avoid them
byElad Elrom
 
Flashack
byn|u - The Open Security Community
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
byguestb0af15
 
FIRM: Capability-based Inline Mediation of Flash Behaviors
byEMC
 
Web Application Security
byChris Hillman
 
Cross Domain Hijacking - File Upload Vulnerability
byRonan Dunne, CEH, SSCP
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
byMark Stanton
 
Hacking The World With Flash
byjoepangus
 
Web Application Testing for Today’s Biggest and Emerging Threats
byAlan Kan
 
The old is new, again. CVE-2011-2461 is back!
byLuca Carettoni
 
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
Intro to Web Application Security
byRob Ragan
 
Ajax Security
byJoe Walker
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
Analysis of web application worms and viruses
byUltraUploader
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
(In)Secure Ajax-Y Websites With PHP
bychw
 
gofortution
bygofortution
 
C01461422
byIOSR Journals
 

More from Ferruh Mavituna

PDF
One Click Ownage Ferruh Mavituna (3)
byFerruh Mavituna
 
PPSX
Web Tarayıcılarının Evrimi
byFerruh Mavituna
 
PPTX
One Click Ownage
byFerruh Mavituna
 
PPTX
5 Dakkada Beşiktaş
byFerruh Mavituna
 
PDF
One Click Ownage
byFerruh Mavituna
 
PDF
One Click Ownage
byFerruh Mavituna
 
PPS
Insecure Trends in Web 2.0
byFerruh Mavituna
 
PDF
DoS Attacks Using Sql Wildcards
byFerruh Mavituna
 
PDF
XSS Tunnelling
byFerruh Mavituna
 
PPT
Guvenli Flash Uygulamalari
byFerruh Mavituna
 
PPT
Web 2.0 Guvenlik Trendleri
byFerruh Mavituna
 
PPT
How To Detect Xss
byFerruh Mavituna
 
One Click Ownage Ferruh Mavituna (3)
byFerruh Mavituna
 
Web Tarayıcılarının Evrimi
byFerruh Mavituna
 
One Click Ownage
byFerruh Mavituna
 
5 Dakkada Beşiktaş
byFerruh Mavituna
 
One Click Ownage
byFerruh Mavituna
 
One Click Ownage
byFerruh Mavituna
 
Insecure Trends in Web 2.0
byFerruh Mavituna
 
DoS Attacks Using Sql Wildcards
byFerruh Mavituna
 
XSS Tunnelling
byFerruh Mavituna
 
Guvenli Flash Uygulamalari
byFerruh Mavituna
 
Web 2.0 Guvenlik Trendleri
byFerruh Mavituna
 
How To Detect Xss
byFerruh Mavituna
 

Recently uploaded

PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 

Flash Security

  • 1.
    Attacking and defendingFlash Applications
  • 2.
    Flash SecurityI’ll talk about; RIA, Web 2.0 and Security What is Crossdomain.xml? Why does it exist? Only problem about Flash : XSS XSS and Impact of XSS Attacks Attack Surface of Flash Applications   Global Parameters   External Resources Same-origin Policy and Flash Embedding High Security Required Applications and Flash Not going to talk about these, at least not today; Server-side Flash Security Attacking users via Flash Flash Vulnerabilities
  • 3.
    RIA, Web 2.0and Security Complexity is the worst enemy of security Every new component in the browser is a new threat AJAX, Silverlight, AIR, Flash, Java, Myspace Upload ActiveX etc. All of these are potential security problems. Every new technology comes with new style of development and it takes time to have secure “best practices”.
  • 4.
    Crossdomain.xml & Same-OriginPolicy Same-Origin Policy Why Cross-domain access is a bad thing? Examples ... Cookie, XMLHTTP Requests, Javascript etc. Flash and Crossdomain.xml
  • 5.
    A Quite NaïveCrossdomain.xml File <cross-domain-policy>     <allow-access-from domain=&quot;*&quot; secure=&quot;false&quot;/> </cross-domain-policy>
  • 6.
    Demo Stealing informationvia Flash by exploiting Crossdomain.xml trust. http: //e xamplebank.com http://attacker.com/
  • 7.
    XSS Tunnelling? TunnellingHTTP tarffic through XSS channels. Allows to bypassing IP Restrictions, VPN, basic auth etc.
  • 8.
    Attack Surface ofFlash Global Parameters Flashvars Querystring LoadVars Configuration Files Dynamically loaded Flash Animations
  • 9.
    Global ParameterModification Who are these global parameter s? _root. _global. _level0.
  • 10.
    Flash Embedding LimitFlash file’s access by setting Allowscriptaccess attribute to “noaccess” while embedding an external Flash animation.
  • 11.
    getURL() getURL problems getURL( “ javascript: alert(1)” )
  • 12.
    HTML Text AreaIf HTML enabled in the textareas and if the data loaded up dynamically http://example.com/XSS/riaac3.swf?_Ghtml=<img%20src=&quot;javascript:alert(1)//.jpg&quot;>
  • 13.
    LoadClip, xml.load Areexternal resources secure? Hardly coded or configuration files coming from a secure place? You should check for configuration location and should not this from the user input.
  • 14.
    Flash usage inhighly security required systems Why it can be a problem? Increased attack surface
  • 15.
    Sum it up!You should limit Flash’s JavaScript access while embedding external Flash files.
  • 16.
    Sum it Up!Loaded configurations should be coming from trusted domains, Loaded external resources should be coming from trusted domains.
  • 17.
    Sum it Up!When you are using Htmltext be sure that loaded data is sanitised and encoded.
  • 18.
    References, Resources andTools Flashsec Wiki OWASP – Finding Vulnerabilities in Flash Applications SWFIntruder Flare and similar decompiler s
  • 19.