Security Thoughts

Friday, May 18, 2007, 17:19

Owasp Conference and Flash Application Testing.

App Sec 2007 Owasp Conference was a great event.
I did a presentation about Flash Application Security.

It describes how Flash Applications are not so secure and as for every technology, ActionScript has its own bad coding practices which could lead a Flash application to be abused in order to generate XSS and a new attack vector called Cross Site Flashing.

Abstract
Download the slides in Pdf or in Swf :)

Note: As the slides themselves are not always self explaining, i'll try to publish some more comprehensive details on the next blog entries.

The Best is yet to come...
Stay Tuned.

Comments:

leiolay, Tuesday, May 22, 2007, 19:46

Stefano,

A wonderful presentation. Great work!

I would really like to know the vulnerabilities of Flash application written in AS 3. i.e. which ones from AS 2 still apply and what are new to AS 3.

Stefano, Tuesday, May 22, 2007, 20:04

Thank you leiolay.

I think the problem about global variables will be the same, as the internal model is not changed.
Of course there are new Potentially Dangerous Native Functions which have been introduced with AS3.
Anyway, probably some fix on next version of Flash plugin will mitigate the risk.

Axel, Wednesday, May 23, 2007, 21:25

You could limit this with the a crossdomain.xml policy file.

Daniele, Thursday, May 24, 2007, 14:30

Interessante la tua ricerca. La guarderò con attenzione prossimamente.

Stefano, Saturday, May 26, 2007, 16:47

Axel,
crossdomain.xml is for external requests only.

There are some flaws in the way actionscript is implemented, which don't need crossdomain.xml at all.
All the attacks described in the presentation could be accomplished without the need of a crossdomain.xml file.

For example, think about a htmlText with a user controlled parameter.
An attacker could inject code without letting Flash interpreter ask for crossdomain.xml file.

Martin, Tuesday, June 26, 2007, 16:01

great presentation, thanks!

I see different behaviour of MSIE7 and Firefox browsers if the swf file is loaded directly (not using embed/object). Example:

http://websec.cz/flash/xsf.html

(it was not possible to put there the long url directly)

for MSIE7 there is permission denied error for getURL("javascript:..") call from xss.swf file. Do you know why?

Stefano, Tuesday, June 26, 2007, 17:11

Martin,
it seems that MSIE7, has some kind of settings which fires a 'permission denied' if you try to access the document object in the auto generated Html.

But, I've seen that:

1. Window object is accessible.
2. If you try to reload the swf by pressing ctrl+r the check is bypassed (probably has something to do with local cache)
...so i think there could be some hack to unlock the document object with a little bit of further research.

Thanks

eDs Babu, Friday, June 29, 2007, 03:37

I like it a lot! Nice site, I will bookmark!

fukami, Friday, June 29, 2007, 18:57

@leiolay: Some vectors are gone in AS3, i.e. getURL is replaced by a flash.net.URLRequest (which behaves differently). But AS3 is capable to use sockets, which is something Stefano decribes with the fancy acronym "PDNF" :)

Tom, Monday, November 26, 2007, 18:40

Stefano,

Great presentation. During your talk, you used a tool that looked like it would really speed up the process of testing a Flash application. I thought I heard you say that you were planning on releasing it for others to use. Are you still planning on releasing the tool? Where could I find it?

Stefano, Monday, November 26, 2007, 19:08

Tom,
Thank you very much.
Yes I'm planning to release it this week.
I want to give you all the useful features I think a tester would need.
Sorry, I didn't blog about it, but ASAP I'll spam all related mailing lists :)

Ronald, Sunday, March 28, 2010, 16:55

Here I found some steps to secure flash applications while developing and minimize security problems. I hope it helps all

http://tinyurl.com/yky6st6

Security Thoughts

Wisec is brought to you by...