SlideShare a Scribd company logo

Flash Security

Download as PPS, PDF
Ferruh Mavituna
Ferruh Mavituna

This document discusses security issues related to Flash applications and cross-domain access. It covers how the crossdomain.xml file controls cross-domain access and demonstrates how this can be exploited. Attack surfaces like global parameters, external resources, and HTML text areas are described. The document recommends limiting JavaScript access in embedded Flash, ensuring configurations and external resources come from trusted domains, and sanitizing data in HTML text areas.

Related slideshows

mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Application Security - Myth or Fact Slides
Application Security - Myth or Fact SlidesApplication Security - Myth or Fact Slides
Application Security - Myth or Fact Slides
 
1 of 19
Attacking and defending Flash Applications
Flash Security I’ll talk about; RIA, Web 2.0 and Security What is Crossdomain.xml? Why does it exist? Only problem about Flash : XSS XSS and Impact of XSS Attacks Attack Surface of Flash Applications   Global Parameters   External Resources Same-origin Policy and Flash Embedding High Security Required Applications and Flash Not going to talk about these, at least not today; Server-side Flash Security Attacking users via Flash Flash Vulnerabilities
RIA, Web 2.0 and Security Complexity is the worst enemy of security Every new component in the browser is a new threat AJAX, Silverlight, AIR, Flash, Java, Myspace Upload ActiveX etc. All of these are potential security problems. Every new technology comes with new style of development and it takes time to have secure “best practices”.
Crossdomain.xml & Same-Origin Policy Same-Origin Policy Why Cross-domain access is a bad thing? Examples ... Cookie, XMLHTTP Requests, Javascript etc. Flash and Crossdomain.xml
A Quite Naïve Crossdomain.xml File <cross-domain-policy>     <allow-access-from domain=&quot;*&quot; secure=&quot;false&quot;/> </cross-domain-policy>
Demo Stealing information via Flash by exploiting Crossdomain.xml trust. http: //e xamplebank.com http://attacker.com/
XSS Tunnelling? Tunnelling HTTP tarffic through XSS channels. Allows to bypassing IP Restrictions, VPN, basic auth etc.
Attack Surface of Flash Global Parameters Flashvars Querystring LoadVars Configuration Files Dynamically loaded Flash Animations
Global Parameter Modification Who are these global parameter s? _root. _global. _level0.
Flash Embedding Limit Flash file’s access by setting Allowscriptaccess attribute to “noaccess” while embedding an external Flash animation.
getURL() getURL problems getURL( “ javascript: alert(1)” )
HTML Text Area If HTML enabled in the textareas and if the data loaded up dynamically http://example.com/XSS/riaac3.swf?_Ghtml=<img%20src=&quot;javascript:alert(1)//.jpg&quot;>
LoadClip, xml.load Are external resources secure? Hardly coded or configuration files coming from a secure place? You should check for configuration location and should not this from the user input.
Flash usage in highly security required systems Why it can be a problem? Increased attack surface
Sum it up! You should limit Flash’s JavaScript access while embedding external Flash files.
Sum it Up! Loaded configurations should be coming from trusted domains, Loaded external resources should be coming from trusted domains.
Sum it Up! When you are using Htmltext be sure that loaded data is sanitised and encoded.
References, Resources and Tools Flashsec Wiki OWASP – Finding Vulnerabilities in Flash Applications SWFIntruder Flare and similar decompiler s
Thanks ...

More Related Content

Flash Security

  • 1. Attacking and defending Flash Applications
  • 2. Flash Security I’ll talk about; RIA, Web 2.0 and Security What is Crossdomain.xml? Why does it exist? Only problem about Flash : XSS XSS and Impact of XSS Attacks Attack Surface of Flash Applications   Global Parameters   External Resources Same-origin Policy and Flash Embedding High Security Required Applications and Flash Not going to talk about these, at least not today; Server-side Flash Security Attacking users via Flash Flash Vulnerabilities
  • 3. RIA, Web 2.0 and Security Complexity is the worst enemy of security Every new component in the browser is a new threat AJAX, Silverlight, AIR, Flash, Java, Myspace Upload ActiveX etc. All of these are potential security problems. Every new technology comes with new style of development and it takes time to have secure “best practices”.
  • 4. Crossdomain.xml & Same-Origin Policy Same-Origin Policy Why Cross-domain access is a bad thing? Examples ... Cookie, XMLHTTP Requests, Javascript etc. Flash and Crossdomain.xml
  • 5. A Quite Naïve Crossdomain.xml File <cross-domain-policy>     <allow-access-from domain=&quot;*&quot; secure=&quot;false&quot;/> </cross-domain-policy>
  • 6. Demo Stealing information via Flash by exploiting Crossdomain.xml trust. http: //e xamplebank.com http://attacker.com/
  • 7. XSS Tunnelling? Tunnelling HTTP tarffic through XSS channels. Allows to bypassing IP Restrictions, VPN, basic auth etc.
  • 8. Attack Surface of Flash Global Parameters Flashvars Querystring LoadVars Configuration Files Dynamically loaded Flash Animations
  • 9. Global Parameter Modification Who are these global parameter s? _root. _global. _level0.
  • 10. Flash Embedding Limit Flash file’s access by setting Allowscriptaccess attribute to “noaccess” while embedding an external Flash animation.
  • 11. getURL() getURL problems getURL( “ javascript: alert(1)” )
  • 12. HTML Text Area If HTML enabled in the textareas and if the data loaded up dynamically http://example.com/XSS/riaac3.swf?_Ghtml=<img%20src=&quot;javascript:alert(1)//.jpg&quot;>
  • 13. LoadClip, xml.load Are external resources secure? Hardly coded or configuration files coming from a secure place? You should check for configuration location and should not this from the user input.
  • 14. Flash usage in highly security required systems Why it can be a problem? Increased attack surface
  • 15. Sum it up! You should limit Flash’s JavaScript access while embedding external Flash files.
  • 16. Sum it Up! Loaded configurations should be coming from trusted domains, Loaded external resources should be coming from trusted domains.
  • 17. Sum it Up! When you are using Htmltext be sure that loaded data is sanitised and encoded.
  • 18. References, Resources and Tools Flashsec Wiki OWASP – Finding Vulnerabilities in Flash Applications SWFIntruder Flare and similar decompiler s