SlideShare a Scribd company logo

Flashack

n|u - The Open Security Community
n|u - The Open Security Community

The document discusses vulnerabilities in Flash applications. It begins by introducing Flash and explaining that while some claim it is outdated, it still poses security risks due to programming flaws. Several types of vulnerabilities are then outlined, including cross-site scripting, cross-domain policy misconfigurations, decompilation risks revealing sensitive data, and abuse of functions like getURL() that allow external code execution. Methods of exploiting these vulnerabilities are explained, along with mitigations like sanitizing inputs and using strict cross-domain policies. The document concludes by mentioning additional risks like camjacking through clickjacking.

Related slideshows

Web Hacking
Web HackingWeb Hacking
Web Hacking
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
1 of 19
Download to read offline
asHack Exploiting Flash Applications Abir Banerjee n|u Bangalore – 14 June 2014
References • https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project • https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP- DV-004) • http://blog.watchfire.com/FPI.pdf • http://habrahabr.ru/post/182706/ • http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashA pplications.ppt • http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf • http://sethsec.blogspot.in/2014/03/exploiting-misconfigured- crossdomainxml.html • http://gursevkalra.blogspot.in/2013/08/bypassing-same-origin-policy-with- flash.html • http://www.andlabs.org/presentations/Test_Security_Flash.pdf • http://www.securityfocus.com/archive/1/441014/30/0/threaded
Introduction to Flash • Multimedia Software Platform which has provided the Web with power of graphics, animation, games and many Rich Internet Applications (RIAs) that can be viewed, played and executed in Adobe Flash Player • Flex -> Cousin of Flash which uses AS3 and helps in building complex & flexible business logic especially used for Rich Internet Applications • Browsers require Flash Plugins to play Flash Executable Files (SWF) embedded in web pages. • Flash applications can be programmed using object-oriented language called Action Script 2.0 / 3.0
Flash Myth? • Flash is Outdated, Dead, Attacks don’t work…etc. Is it true? • It will exist as long as browsers support it ! • Majority of the attacks are due to programming flaws
Flash Application Security Concerns • JavaScript execution is possible in Flash • Flash can be used to forge HTTP Headers • Exploiting Cross Domain policy misconfiguration • Flash + Clickjacking -> Leveraging for Camjacking ! • It can execute External Flash Movies • Flash can be Decompiled easily
Vulnerabilities in Flash Client Side Vulnerabilities • Cross-Site Scripting via Flash • Potentially Dangerous Native Functions (PDNF) • Cross-Site Flashing • Abusing HTTP Headers & Cross Domain Policies • Decompilation & Sensitive Data Storage Server Side Vulnerabilities • ActionScript Message Format (AMF) Tampering • Remote Calls, Service Enumeration, Injection etc.
Decompiling Flash • SWF files are interpreted by a virtual machine embedded in the player itself. Decompilers • HP SwfScan • Flare • Jpex Free Flash Decompiler • Sothink Decompiler • Flash Decompiler Trillix Impact • It can be easily decompiled & analyzed for checking insecure programming, hard coded credentials Mitigation • Sanitize user input, avoid hard coding of data, • Use de-obfuscation as a deterrence
Cross-Site Scripting (XSS) • A Flash SWF can access it’s host DOM depending on access policy • Flash SWF can modify the DOM of it’s host Impact • XSS attack on host DOM causing malicious script execution Mitigation • Sanitize user input
XSS Continued… _global and _root objects • Attributes of _global and _root objects are represented as: _root.variableName _global.variableName • Flashvars, Injection in HTML Text Fields • Unsafe Methods What is the Problem? • If variables are undefined then they can be initialized from the query string • Usage of Insecure Functions • Unsanitized Input Exploitation • Unsafe methods use URL as function -> can be called from query string • HTML Test Injection- Typical Payload – http://victim.com/victim.swf?asfunction:getURL,javascript:evilcode
Cross-Site Flashing • Cross-Site Flashing occurs when one SWF or movie loads another SWF or movie • It can be performed by forcing a flawed SWF to load an external evil flash file. • XSF can also be used in presence of Flash HTML Injection or external SWF Files when loadMovie* methods are used. Impact • This attack can lead to Phishing Attacks or loading malicious files Mitigation • Initialize Variables & Sanitize user input • Use Strict Cross Domain Policies • If not required, don’t allow external swf to be run as _level 0
Potentially Dangerous Native Function (PDNF) Vulnerable Functions in ActionScript 2.0 • getURL() • loadMovie() • loadMovieNum() • LoadVars.load() • LoadVars.send() • FScrollPane.loadScrollContent() • Sound.loadSound() • NetStream.play() • XML.load() What’s the Problem? • All of these functions take URL as an input parameter Mitigation • Initialize Variables and Sanitize user input
Abusing HTTP Headers • Flash has capability of sending Forged HTTP headers thereby allowing Header Injection Vulnerabilities How to use it? • Following Syntax is for ActionScript 2.0 for sending GET request to victim site say http://www.victim.com/page.php?p1=a&p2=b with an arbitrary header (Expect: <script>alert(1)</script>) For GET Request • var req:LoadVars=new LoadVars(); req.addRequestHeader(“Expect",“<script>alert(1)</script>"); req.send("http://www.victim.com/page.php?p1=a&p2=b", "_blank","GET"); For POST Request • var req:LoadVars=new LoadVars(); req.addRequestHeader(" Expect",“<script>alert(1)</script"); req.decode("a=b&c=d"); req.send(" http://www.victim.com/page.php?p1=a&p2=b ", "_blank","POST"); • The request is sent from the browser invoking the Flash object. Any cookies the browser normally sends, will be sent in those cases as well. The browser's User-Agent is sent, as well as all browser standard headers. HTTPS links are supported.
Cross Domain Access Policies • Crossdomain.xml - a policy file that allows SWF files from external domains to make HTTP calls to your domain Sample Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="www.example.com" secure="true" /> <allow-access-from domain=“*.example.com“ /> </cross-domain-policy>
• Crossdomain.xml - a policy file that allows SWF files from external domains to make HTTP calls to your domain Good Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="www.example.com" secure="true" /> <allow-access-from domain=“*.example.com“ /> </cross-domain-policy> Bad Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies=“*"/> <allow-access-from domain=“*"/> </cross-domain-policy> Threat –If user A is logged in on www.abc.com and user visits www.def.com and a Malicious SWF file is loaded there, it can access your data on www.abc.com Mitigation – Never use “*” Cross Domain Access Policies
AllowScriptAccess <object id='MyMovie.swf' classid='clsid:D27CDB6E-AE6D-11cf-96B8- 444553540000' codebase='http://download.adobe.com/pub/shockwave/cabs/flash/swflash. cab#version=9,0,0,0' height='100%' width='100%'> <param name='allowScriptAccess' value=‘sameDomain'/> OWASP <param name='src' value=''MyMovie.swf'/> <embed name='MyMovie.swf' pluginspage='/go/getflashplayer' src='MyMovie.swf' height='100%' width='100%' allowScriptAccess=‘sameDomain'/> </object> Mitigation Do NOT use allowScriptAccess=‘*’ Cross Domain Access Policies
LocalConnection – Used for inter process communication between flash One Flash file can call methods of other flash file even if they are from different domains Access Control is enforced using- LocalConnection.allowDomain() method Mitigation • Do NOT use LocalConnection.allowDomain(‘*’) as it allows SWF files from all domain Cross Domain Access Policies
Security.allowDomain() Normally SWF loaded from www.a.com cannot access the variable, objects, properties and methods of SWF loaded from www.b.com but Security.allowDomain() can be used to bypass this security restriction. HTTP to HTTPS restriction can be overcome using System.security.allowInsecureDomain() - BAD IDEA!! System.security.allowDomain("*") – BAD IDEA!! Cross Domain Access Policies
Camjacking • Camjacking refers to hijacking of Camera using clickjacking in Flash
Thank You Questions or Feedback?

More Related Content

Flashack

  • 1. asHack Exploiting Flash Applications Abir Banerjee n|u Bangalore – 14 June 2014
  • 2. References • https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project • https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP- DV-004) • http://blog.watchfire.com/FPI.pdf • http://habrahabr.ru/post/182706/ • http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashA pplications.ppt • http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf • http://sethsec.blogspot.in/2014/03/exploiting-misconfigured- crossdomainxml.html • http://gursevkalra.blogspot.in/2013/08/bypassing-same-origin-policy-with- flash.html • http://www.andlabs.org/presentations/Test_Security_Flash.pdf • http://www.securityfocus.com/archive/1/441014/30/0/threaded
  • 3. Introduction to Flash • Multimedia Software Platform which has provided the Web with power of graphics, animation, games and many Rich Internet Applications (RIAs) that can be viewed, played and executed in Adobe Flash Player • Flex -> Cousin of Flash which uses AS3 and helps in building complex & flexible business logic especially used for Rich Internet Applications • Browsers require Flash Plugins to play Flash Executable Files (SWF) embedded in web pages. • Flash applications can be programmed using object-oriented language called Action Script 2.0 / 3.0
  • 4. Flash Myth? • Flash is Outdated, Dead, Attacks don’t work…etc. Is it true? • It will exist as long as browsers support it ! • Majority of the attacks are due to programming flaws
  • 5. Flash Application Security Concerns • JavaScript execution is possible in Flash • Flash can be used to forge HTTP Headers • Exploiting Cross Domain policy misconfiguration • Flash + Clickjacking -> Leveraging for Camjacking ! • It can execute External Flash Movies • Flash can be Decompiled easily
  • 6. Vulnerabilities in Flash Client Side Vulnerabilities • Cross-Site Scripting via Flash • Potentially Dangerous Native Functions (PDNF) • Cross-Site Flashing • Abusing HTTP Headers & Cross Domain Policies • Decompilation & Sensitive Data Storage Server Side Vulnerabilities • ActionScript Message Format (AMF) Tampering • Remote Calls, Service Enumeration, Injection etc.
  • 7. Decompiling Flash • SWF files are interpreted by a virtual machine embedded in the player itself. Decompilers • HP SwfScan • Flare • Jpex Free Flash Decompiler • Sothink Decompiler • Flash Decompiler Trillix Impact • It can be easily decompiled & analyzed for checking insecure programming, hard coded credentials Mitigation • Sanitize user input, avoid hard coding of data, • Use de-obfuscation as a deterrence
  • 8. Cross-Site Scripting (XSS) • A Flash SWF can access it’s host DOM depending on access policy • Flash SWF can modify the DOM of it’s host Impact • XSS attack on host DOM causing malicious script execution Mitigation • Sanitize user input
  • 9. XSS Continued… _global and _root objects • Attributes of _global and _root objects are represented as: _root.variableName _global.variableName • Flashvars, Injection in HTML Text Fields • Unsafe Methods What is the Problem? • If variables are undefined then they can be initialized from the query string • Usage of Insecure Functions • Unsanitized Input Exploitation • Unsafe methods use URL as function -> can be called from query string • HTML Test Injection- Typical Payload – http://victim.com/victim.swf?asfunction:getURL,javascript:evilcode
  • 10. Cross-Site Flashing • Cross-Site Flashing occurs when one SWF or movie loads another SWF or movie • It can be performed by forcing a flawed SWF to load an external evil flash file. • XSF can also be used in presence of Flash HTML Injection or external SWF Files when loadMovie* methods are used. Impact • This attack can lead to Phishing Attacks or loading malicious files Mitigation • Initialize Variables & Sanitize user input • Use Strict Cross Domain Policies • If not required, don’t allow external swf to be run as _level 0
  • 11. Potentially Dangerous Native Function (PDNF) Vulnerable Functions in ActionScript 2.0 • getURL() • loadMovie() • loadMovieNum() • LoadVars.load() • LoadVars.send() • FScrollPane.loadScrollContent() • Sound.loadSound() • NetStream.play() • XML.load() What’s the Problem? • All of these functions take URL as an input parameter Mitigation • Initialize Variables and Sanitize user input
  • 12. Abusing HTTP Headers • Flash has capability of sending Forged HTTP headers thereby allowing Header Injection Vulnerabilities How to use it? • Following Syntax is for ActionScript 2.0 for sending GET request to victim site say http://www.victim.com/page.php?p1=a&p2=b with an arbitrary header (Expect: <script>alert(1)</script>) For GET Request • var req:LoadVars=new LoadVars(); req.addRequestHeader(“Expect",“<script>alert(1)</script>"); req.send("http://www.victim.com/page.php?p1=a&p2=b", "_blank","GET"); For POST Request • var req:LoadVars=new LoadVars(); req.addRequestHeader(" Expect",“<script>alert(1)</script"); req.decode("a=b&c=d"); req.send(" http://www.victim.com/page.php?p1=a&p2=b ", "_blank","POST"); • The request is sent from the browser invoking the Flash object. Any cookies the browser normally sends, will be sent in those cases as well. The browser's User-Agent is sent, as well as all browser standard headers. HTTPS links are supported.
  • 13. Cross Domain Access Policies • Crossdomain.xml - a policy file that allows SWF files from external domains to make HTTP calls to your domain Sample Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for mysite.com --> <cross-domain-policy> <!-- This is a master-policy file --> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="www.example.com" secure="true" /> <allow-access-from domain=“*.example.com“ /> </cross-domain-policy>
  • 14. • Crossdomain.xml - a policy file that allows SWF files from external domains to make HTTP calls to your domain Good Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for mysite.com --> <cross-domain-policy> <!-- This is a master-policy file --> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="www.example.com" secure="true" /> <allow-access-from domain=“*.example.com“ /> </cross-domain-policy> Bad Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for mysite.com --> <cross-domain-policy> <!-- This is a master-policy file --> <site-control permitted-cross-domain-policies=“*"/> <allow-access-from domain=“*"/> </cross-domain-policy> Threat –If user A is logged in on www.abc.com and user visits www.def.com and a Malicious SWF file is loaded there, it can access your data on www.abc.com Mitigation – Never use “*” Cross Domain Access Policies
  • 15. AllowScriptAccess <object id='MyMovie.swf' classid='clsid:D27CDB6E-AE6D-11cf-96B8- 444553540000' codebase='http://download.adobe.com/pub/shockwave/cabs/flash/swflash. cab#version=9,0,0,0' height='100%' width='100%'> <param name='allowScriptAccess' value=‘sameDomain'/> OWASP <param name='src' value=''MyMovie.swf'/> <embed name='MyMovie.swf' pluginspage='/go/getflashplayer' src='MyMovie.swf' height='100%' width='100%' allowScriptAccess=‘sameDomain'/> </object> Mitigation Do NOT use allowScriptAccess=‘*’ Cross Domain Access Policies
  • 16. LocalConnection – Used for inter process communication between flash One Flash file can call methods of other flash file even if they are from different domains Access Control is enforced using- LocalConnection.allowDomain() method Mitigation • Do NOT use LocalConnection.allowDomain(‘*’) as it allows SWF files from all domain Cross Domain Access Policies
  • 17. Security.allowDomain() Normally SWF loaded from www.a.com cannot access the variable, objects, properties and methods of SWF loaded from www.b.com but Security.allowDomain() can be used to bypass this security restriction. HTTP to HTTPS restriction can be overcome using System.security.allowInsecureDomain() - BAD IDEA!! System.security.allowDomain("*") – BAD IDEA!! Cross Domain Access Policies
  • 18. Camjacking • Camjacking refers to hijacking of Camera using clickjacking in Flash