The document discusses vulnerabilities in Flash applications. It begins by introducing Flash and explaining that while some claim it is outdated, it still poses security risks due to programming flaws. Several types of vulnerabilities are then outlined, including cross-site scripting, cross-domain policy misconfigurations, decompilation risks revealing sensitive data, and abuse of functions like getURL() that allow external code execution. Methods of exploiting these vulnerabilities are explained, along with mitigations like sanitizing inputs and using strict cross-domain policies. The document concludes by mentioning additional risks like camjacking through clickjacking.

1. asHack
Exploiting Flash Applications
Abir Banerjee
n|u Bangalore – 14 June 2014

2. References
• https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project
• https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-
DV-004)
• http://blog.watchfire.com/FPI.pdf
• http://habrahabr.ru/post/182706/
• http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashA
pplications.ppt
• http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf
• http://sethsec.blogspot.in/2014/03/exploiting-misconfigured-
crossdomainxml.html
• http://gursevkalra.blogspot.in/2013/08/bypassing-same-origin-policy-with-
flash.html
• http://www.andlabs.org/presentations/Test_Security_Flash.pdf
• http://www.securityfocus.com/archive/1/441014/30/0/threaded

3. Introduction to Flash
• Multimedia Software Platform which has provided the Web with
power of graphics, animation, games and many Rich Internet
Applications (RIAs) that can be viewed, played and executed in
Adobe Flash Player
• Flex -> Cousin of Flash which uses AS3 and helps in building
complex & flexible business logic especially used for Rich Internet
Applications
• Browsers require Flash Plugins to play Flash Executable Files (SWF)
embedded in web pages.
• Flash applications can be programmed using object-oriented
language called Action Script 2.0 / 3.0

4. Flash Myth?
• Flash is Outdated, Dead, Attacks don’t work…etc. Is it true?
• It will exist as long as browsers support it !
• Majority of the attacks are due to programming flaws

5. Flash Application Security Concerns
• JavaScript execution is possible in Flash
• Flash can be used to forge HTTP Headers
• Exploiting Cross Domain policy misconfiguration
• Flash + Clickjacking -> Leveraging for Camjacking !
• It can execute External Flash Movies
• Flash can be Decompiled easily

6. Vulnerabilities in Flash
Client Side Vulnerabilities
• Cross-Site Scripting via Flash
• Potentially Dangerous Native Functions (PDNF)
• Cross-Site Flashing
• Abusing HTTP Headers & Cross Domain Policies
• Decompilation & Sensitive Data Storage
Server Side Vulnerabilities
• ActionScript Message Format (AMF) Tampering
• Remote Calls, Service Enumeration, Injection etc.

7. Decompiling Flash
• SWF files are interpreted by a virtual machine embedded in the player itself.
Decompilers
• HP SwfScan
• Flare
• Jpex Free Flash Decompiler
• Sothink Decompiler
• Flash Decompiler Trillix
Impact
• It can be easily decompiled & analyzed for checking insecure programming, hard coded
credentials
Mitigation
• Sanitize user input, avoid hard coding of data,
• Use de-obfuscation as a deterrence

8. Cross-Site Scripting (XSS)
• A Flash SWF can access it’s host DOM depending on
access policy
• Flash SWF can modify the DOM of it’s host
Impact
• XSS attack on host DOM causing malicious script
execution
Mitigation
• Sanitize user input

9. XSS Continued…
_global and _root objects
• Attributes of _global and _root objects are represented as:
_root.variableName
_global.variableName
• Flashvars, Injection in HTML Text Fields
• Unsafe Methods
What is the Problem?
• If variables are undefined then they can be initialized
from the query string
• Usage of Insecure Functions
• Unsanitized Input
Exploitation
• Unsafe methods use URL as function -> can be called from query string
• HTML Test Injection-
Typical Payload –
http://victim.com/victim.swf?asfunction:getURL,javascript:evilcode

10. Cross-Site Flashing
• Cross-Site Flashing occurs when one SWF or movie loads another SWF or
movie
• It can be performed by forcing a flawed SWF to load an external evil flash
file.
• XSF can also be used in presence of Flash HTML Injection or external SWF
Files when loadMovie* methods are used.
Impact
• This attack can lead to Phishing Attacks or loading malicious files
Mitigation
• Initialize Variables & Sanitize user input
• Use Strict Cross Domain Policies
• If not required, don’t allow external swf to be run as _level 0

11. Potentially Dangerous Native Function (PDNF)
Vulnerable Functions in ActionScript 2.0
• getURL()
• loadMovie()
• loadMovieNum()
• LoadVars.load()
• LoadVars.send()
• FScrollPane.loadScrollContent()
• Sound.loadSound()
• NetStream.play()
• XML.load()
What’s the Problem?
• All of these functions take URL as an input parameter
Mitigation
• Initialize Variables and Sanitize user input

12. Abusing HTTP Headers
• Flash has capability of sending Forged HTTP headers thereby allowing Header Injection Vulnerabilities
How to use it?
• Following Syntax is for ActionScript 2.0 for sending GET request to victim site say
http://www.victim.com/page.php?p1=a&p2=b with an arbitrary header (Expect: <script>alert(1)</script>)
For GET Request
• var req:LoadVars=new LoadVars();
req.addRequestHeader(“Expect",“<script>alert(1)</script>");
req.send("http://www.victim.com/page.php?p1=a&p2=b",
"_blank","GET");
For POST Request
• var req:LoadVars=new LoadVars();
req.addRequestHeader(" Expect",“<script>alert(1)</script");
req.decode("a=b&c=d");
req.send(" http://www.victim.com/page.php?p1=a&p2=b ",
"_blank","POST");
• The request is sent from the browser invoking the Flash object.
Any cookies the browser normally sends, will be sent in those
cases as well. The browser's User-Agent is sent, as well as all
browser standard headers. HTTPS links are supported.

13. Cross Domain Access Policies
• Crossdomain.xml - a policy file that allows SWF files from external
domains to make HTTP calls to your domain
Sample Crossdomain.xml file
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for mysite.com -->
<cross-domain-policy>
<!-- This is a master-policy file -->
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="www.example.com" secure="true" />
<allow-access-from domain=“*.example.com“ />
</cross-domain-policy>

14. • Crossdomain.xml - a policy file that allows SWF files from external domains to make HTTP calls to your domain
Good Crossdomain.xml file
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for mysite.com -->
<cross-domain-policy>
<!-- This is a master-policy file -->
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="www.example.com" secure="true" />
<allow-access-from domain=“*.example.com“ />
</cross-domain-policy>
Bad Crossdomain.xml file
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for mysite.com -->
<cross-domain-policy>
<!-- This is a master-policy file -->
<site-control permitted-cross-domain-policies=“*"/>
<allow-access-from domain=“*"/>
</cross-domain-policy>
Threat –If user A is logged in on www.abc.com and user visits www.def.com and a Malicious SWF file is loaded there, it can access
your data on www.abc.com
Mitigation – Never use “*”
Cross Domain Access Policies

15. AllowScriptAccess
<object id='MyMovie.swf' classid='clsid:D27CDB6E-AE6D-11cf-96B8-
444553540000'
codebase='http://download.adobe.com/pub/shockwave/cabs/flash/swflash.
cab#version=9,0,0,0' height='100%' width='100%'>
<param name='allowScriptAccess' value=‘sameDomain'/>
OWASP
<param name='src' value=''MyMovie.swf'/>
<embed name='MyMovie.swf' pluginspage='/go/getflashplayer'
src='MyMovie.swf' height='100%' width='100%'
allowScriptAccess=‘sameDomain'/>
</object>
Mitigation
Do NOT use allowScriptAccess=‘*’
Cross Domain Access Policies

16. LocalConnection – Used for inter process communication
between flash
One Flash file can call methods of other flash file even if they are
from different domains
Access Control is enforced using-
LocalConnection.allowDomain() method
Mitigation
• Do NOT use LocalConnection.allowDomain(‘*’) as it allows
SWF files from all domain
Cross Domain Access Policies

17. Security.allowDomain()
Normally SWF loaded from www.a.com cannot access the variable,
objects, properties and methods of SWF loaded from www.b.com
but Security.allowDomain() can be used to bypass this security
restriction.
HTTP to HTTPS restriction can be overcome
using System.security.allowInsecureDomain() -
BAD IDEA!!
System.security.allowDomain("*") –
BAD IDEA!!
Cross Domain Access Policies

18. Camjacking
• Camjacking refers to hijacking of
Camera using clickjacking in Flash

19. Thank You
Questions or Feedback?