SlideShare une entreprise Scribd logo

Top security threats to Flash/Flex applications and how to avoid them

Télécharger en tant que PPTX, PDF
Elad Elrom
Elad Elrom

Top security threats to Flash/Flex applications and how to avoid them

Technologie
1  sur  64
Top security threats to Flash/Flex applications and how to avoid them @EladElrom
@EladElrom ,[object Object]
Senior Flash Engineer & Lead
Technical Writer
FlashAndTheCity Organizer
Adobe Community Professional,[object Object]
Flash Sandbox “The sandbox defines a limited space in which a Macromedia Flash movie running within the Macromedia Flash Player is allowed to operate. Its primary purpose is to ensure the integrity and security of the client’s machine, and as well as security of any Macromedia Flash movies running in the player."
intro Slide from Deneb Meketa's security presentation at MAX
Decompiling and modifying swf file
Decompile The concept of downloading Flash applications, decompiling, modifying them, and then re-compiling them is one of the oldest & most used cross-scripting techniques out there. Hackers’ use programs such as Sothink SWF decompiler software which allows them to modify the swf.
Decompile Flex Apps Not many developers are aware of the fact that these decompilers are now capable of decompiling Flex projects in addition to Flash applications. Let’s take a look at this simple example.
After the project is restored, you can then import the project back into Flash builder and change the project. Phishing attack is when a hacker tries to obtain user’s sensitive information by impersonating as a trustworthy entity.
Hacking a template site As a second example I went to one of these Flash template site and used a Web Proxy to extract the swf URL and download the swf file to my desktop, then decompiled and opened in Flash Professional
Export to FLA
View .fla
Loading the Flash app SWF file into another project
Hackers gain access Slide from Deneb Meketa's security presentation at MAX
Change properties on runtime Loading a swf file belonging to a Flex project and then having the accessing application make changes to the access application. In the example below the accessing application gains access to an application, and I was then able to change the text property on a label and even use a login service method. Create a new project.
Cross Domain Policy At this point we are loading the accessed application from the same domain; however, if you place the accessed application and the accessing application on two separate domains and place a domain policy that allows accessing the domain from any domain, as in this example below, it will work.
Allow cross domainwho can access? https used for Encryption, Authentication user, change data Avoid: allowInsecureDomain("*");
Id request w/ Custom request headers - control what can be accessed All - any port Master Only - port 843 none - no socket policy files allowed
Allow ports List of TCP and UDP port numbers http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Attacker figure out application source code
Phishing for public methods In this example we have access to the source code; however, in case the attacker does not have access to the source code, they can find out the source code in two ways. Once the content is loaded we can actually place a break point and see all the methods we have access to, see figure below.
Decompile accessed app Additionally, using decompiling software, the attacker can decompile the accessed application and browse through the classes
Accessing other domain through the accessed application
Similarly to the application I showed you previously, an attacker could load a SWF from a domain that has access to other domain and than make un-authorized service calls. For instance, let’s say that DomainA allow access to DomainB, as you can see from the Cross Domain policy below: Access SWF from another SWF
Security.allowDomain(“*”) Avoid global (wild card) permissions!
Load SWF and access The accessing application can load the SWF and access the service class to make an illegal call, and then it can retrieve the data. For instance, let’s assume that a site allows a certain authorized domain to make service calls but the API is not public. If the authorized domain holds a SWF that can be accessed, one can use that SWF to gain access to the API and make un-authorized service calls. this.content.document.service.send();
Code sample
How to avoid cross-scripting attacks
Solution #1 Setting a restricted cross-domain policy that limits the domains that can access the application
Solution #2 Use code obfuscation software such as secureSWF from Kindisoft (www.kindisoft.com/), which helps you to protect your ActionScript from Flash decompilers.
Solution #3 Avoid using Security.allowDomain(“*”) method to permit access to all swfs. Set the ones you allow access.
Cross-site scripting (XSS) vulnerability
What is XSS? The idea is to involve more than one site, and that’s where the name (Cross-site) came from, a second site injects a script and can do anything it wants with the page. Examples?
Account theft Account theft - Attackers can grab cookie information, which can lead to account hijacking since many cookies holds account information.
Change page content Changing content on a page - Misleading user to re-enter their information on a phony site, place incorrect content or read user’s cookies.
Vulnerability in Flex applications Flash Player is not vulnerable to cross scripting directly since the byte-code get compiled through the Virtual Machine (VM), However Flash is often used on a page that includes other scripts and your application may interact with other Web pages elements and that can open a security hole since Web page that generate content dynamically without filtering the results first. Attackers can exploit your application and create XSS.
Inbound/outbound Slide from Deneb Meketa's security presentation at MAX
Cross-Scripting attack to a WebPage from Flex
Simple application example
Hackers can redirect <script>alert('Test')</script> <script type="text/javascript">window.location = "http://www.google.com/"</script>
Malicious data injection
What’s Malicious data injection? In cases where a Web Page have permissions to reading and writing from and to a Web Page an attacker can abuse these and rewrite the a web page or redirect users from the Web Page to a phishing site, this type of a attack is know as malicious data injection attack or Script injection.
Flash malicious data injection attack The attacker can inject data and create a cross-site scripting (XSS) attack. Coding in ActionScript and using APIs such as ExternalInterface, navigateToURL or getURL. The attacker can than redirect the URL and even post a JavaScript code, which would capture the user’s cookies with personal information.
Example Let’s say we need a script to retrieve a parameter that was passed through the URL into the Flex application. As you know you can pass variables using FlashVar and than use the following syntax in Flex 4 To read the parameter: FlexGlobals.topLevelApplication.parameters.name However in case you want to pass the parameters through the URL you need to call the SWF directly like so: MyApp.swf?name=Elad My code allows me to read the parameter from the URL without calling the SWF directly.
How it works? Here is how it works. I am registering a callback Javascript function called getParams and once the user click on a button I am calling the Javascript method getURLString, which retrieve the URL parameter and pass it back to the callback.
Example application
Hacker abuse loophole ?name=Elad I pass the following parameter: ?name=%3Cscript%3Ealert('Elad')%3C/script%3E
Cross-site scripting through navigation URLs
Attacking browser example Attacking browser navigation URLs is a popular attack. Similar to the example I showed you at "Malicious data injection" section, attackers can inject data through URL. In addition to passing data through FlashVars it's common to use deep linking to change the application state. The application takes params through the URL and than create a link on the application.
History Management vulnerability in Flex 3
Flex 3 History management The same type of cross-site scripting we just showed you were found in the History Management handled by historyFrame.html in Flex 3. The vulnerability occurs in code used by the History Management feature. In case you use Flex 3 and use the History management features you need to upgrade to at least Flex 3.0.2 SDK Update or just replace the HTML files from Flex 3.02.
How to avoid Cross-Scripting attack
Whitelisting & Blacklisting The way to avoid must of cross-scripting attacks is to sufficiently sanitize user-supplied data, what it mean is that it’s a good practice to apply the same best practices as old-fashioned web application and to filter the data that user enters to insure that the user entered a proper format and contains only expected data. To avoid this type of vulnerability you can add a code to your Flex/Flash application that will stripe HTML tags, tag attributes, values, Javascript, CSS, HTML and URL. You can take the whitelist or blacklist approach in regards to validating the data. Whitelist is preferred, however whitelisting isn’t always possible so blacklisting can be used.
allowScriptAccess
allowScriptAccess options Slide from Deneb Meketa's security presentation at MAX
Set allowScriptAccess correctly Slide from Deneb Meketa's security presentation at MAX
Find HTML tags
Use RegExp to avoid attacks I am using the RegExpValidator component and pass the RegExp "((3C)|<). In case there is no match you’ll get: “field is invalid”. You can insert all the RegExp and see if you get zero results, which means that the expression was present. To read more see Symantec article: http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks
Update Flash Player and SDK often Updating Flash Player and SDK. Adobe is constantly working to fight attackers. For instance during the upgrade to Flex SDK 3.4 Adobe have solved an issues regarding ticket CVE-2009-1879, which took care of Cross-site scripting (XSS) vulnerability in the index.template.html in SDK 3.3. When the installed Flash version was older than a specified requiredMajorVersion value it allowed the remote attackers to inject arbitrary web script or HTML via the query string.
Common security on local builts:Flash Access The Internet

Recommandé

Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Ch10 Hacking Web Servers http://ouo.io/2Bt7X
Ch10 Hacking Web Servers http://ouo.io/2Bt7XCh10 Hacking Web Servers http://ouo.io/2Bt7X
Ch10 Hacking Web Servers http://ouo.io/2Bt7Xphanleson
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securityMoutasm Tamimi
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 

Recommandé

Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Ch10 Hacking Web Servers http://ouo.io/2Bt7X
Ch10 Hacking Web Servers http://ouo.io/2Bt7XCh10 Hacking Web Servers http://ouo.io/2Bt7X
Ch10 Hacking Web Servers http://ouo.io/2Bt7Xphanleson
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securityMoutasm Tamimi
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web ServicesJan Algermissen
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosPayampardaz
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque AttackMinded Security
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshopPayampardaz
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
FIRM: Capability-based Inline Mediation of Flash Behaviors
FIRM: Capability-based Inline Mediation of Flash BehaviorsFIRM: Capability-based Inline Mediation of Flash Behaviors
FIRM: Capability-based Inline Mediation of Flash BehaviorsEMC
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 

Contenu connexe

Tendances

Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web ServicesJan Algermissen
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosPayampardaz
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshopPayampardaz
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 

Tendances (20)

Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web Services
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenarios
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security Forgot
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 

Similaire à Top security threats to Flash/Flex applications and how to avoid them

FIRM: Capability-based Inline Mediation of Flash Behaviors
FIRM: Capability-based Inline Mediation of Flash BehaviorsFIRM: Capability-based Inline Mediation of Flash Behaviors
FIRM: Capability-based Inline Mediation of Flash BehaviorsEMC
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
Flex security
Flex securityFlex security
Flex securitychengalva
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptxAjaySahre
 
Cyber security
Cyber securityCyber security
Cyber securitySakib Sami
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Chapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientChapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientDr.Sami Khiami
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
Tips for web security
Tips for web securityTips for web security
Tips for web securitykareowebtech
 
Tips for web security
Tips for web securityTips for web security
Tips for web securitykareowebtech
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxmydrynan
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website أحلام انصارى
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 

Similaire à Top security threats to Flash/Flex applications and how to avoid them (20)

FIRM: Capability-based Inline Mediation of Flash Behaviors
FIRM: Capability-based Inline Mediation of Flash BehaviorsFIRM: Capability-based Inline Mediation of Flash Behaviors
FIRM: Capability-based Inline Mediation of Flash Behaviors
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
Flex security
Flex securityFlex security
Flex security
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptx
 
Cyber security
Cyber securityCyber security
Cyber security
 
Click jacking
Click jackingClick jacking
Click jacking
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Chapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientChapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The Client
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
Attack with-html5
Attack with-html5Attack with-html5
Attack with-html5
 
Tips for web security
Tips for web securityTips for web security
Tips for web security
 
Tips for web security
Tips for web securityTips for web security
Tips for web security
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 

Plus de Elad Elrom

20 x Tips to better Optimize your Flash content
20 x Tips to better Optimize your Flash content20 x Tips to better Optimize your Flash content
20 x Tips to better Optimize your Flash contentElad Elrom
 
Developing & Deploying AIR Applications for TV
Developing & Deploying AIR Applications for TVDeveloping & Deploying AIR Applications for TV
Developing & Deploying AIR Applications for TVElad Elrom
 
Essential Eclipse Plug-ins and Tools for Flash Builder Developers
Essential Eclipse Plug-ins and Tools for Flash Builder DevelopersEssential Eclipse Plug-ins and Tools for Flash Builder Developers
Essential Eclipse Plug-ins and Tools for Flash Builder DevelopersElad Elrom
 
Flex data binding pitfalls: 10 common misuses and mistakes
Flex data binding pitfalls: 10 common misuses and mistakesFlex data binding pitfalls: 10 common misuses and mistakes
Flex data binding pitfalls: 10 common misuses and mistakesElad Elrom
 
Test Driven Development (TDD) with FlexUnit 4 - 360|Flex San Jose preso
Test Driven Development (TDD) with FlexUnit 4 - 360|Flex San Jose presoTest Driven Development (TDD) with FlexUnit 4 - 360|Flex San Jose preso
Test Driven Development (TDD) with FlexUnit 4 - 360|Flex San Jose presoElad Elrom
 
Getting Started with Adobe AIR 1.5
Getting Started with Adobe AIR 1.5Getting Started with Adobe AIR 1.5
Getting Started with Adobe AIR 1.5Elad Elrom
 
Mashups MAX 360|MAX 2008 Unconference
Mashups MAX 360|MAX 2008 UnconferenceMashups MAX 360|MAX 2008 Unconference
Mashups MAX 360|MAX 2008 UnconferenceElad Elrom
 

Plus de Elad Elrom (7)

20 x Tips to better Optimize your Flash content
20 x Tips to better Optimize your Flash content20 x Tips to better Optimize your Flash content
20 x Tips to better Optimize your Flash content
 
Developing & Deploying AIR Applications for TV
Developing & Deploying AIR Applications for TVDeveloping & Deploying AIR Applications for TV
Developing & Deploying AIR Applications for TV
 
Essential Eclipse Plug-ins and Tools for Flash Builder Developers
Essential Eclipse Plug-ins and Tools for Flash Builder DevelopersEssential Eclipse Plug-ins and Tools for Flash Builder Developers
Essential Eclipse Plug-ins and Tools for Flash Builder Developers
 
Flex data binding pitfalls: 10 common misuses and mistakes
Flex data binding pitfalls: 10 common misuses and mistakesFlex data binding pitfalls: 10 common misuses and mistakes
Flex data binding pitfalls: 10 common misuses and mistakes
 
Test Driven Development (TDD) with FlexUnit 4 - 360|Flex San Jose preso
Test Driven Development (TDD) with FlexUnit 4 - 360|Flex San Jose presoTest Driven Development (TDD) with FlexUnit 4 - 360|Flex San Jose preso
Test Driven Development (TDD) with FlexUnit 4 - 360|Flex San Jose preso
 
Getting Started with Adobe AIR 1.5
Getting Started with Adobe AIR 1.5Getting Started with Adobe AIR 1.5
Getting Started with Adobe AIR 1.5
 
Mashups MAX 360|MAX 2008 Unconference
Mashups MAX 360|MAX 2008 UnconferenceMashups MAX 360|MAX 2008 Unconference
Mashups MAX 360|MAX 2008 Unconference
 

Dernier

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Dernier (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Top security threats to Flash/Flex applications and how to avoid them

  • 1. Top security threats to Flash/Flex applications and how to avoid them @EladElrom
  • 2.
  • 6.
  • 7. Flash Sandbox “The sandbox defines a limited space in which a Macromedia Flash movie running within the Macromedia Flash Player is allowed to operate. Its primary purpose is to ensure the integrity and security of the client’s machine, and as well as security of any Macromedia Flash movies running in the player."
  • 8. intro Slide from Deneb Meketa's security presentation at MAX
  • 10. Decompile The concept of downloading Flash applications, decompiling, modifying them, and then re-compiling them is one of the oldest & most used cross-scripting techniques out there. Hackers’ use programs such as Sothink SWF decompiler software which allows them to modify the swf.
  • 11. Decompile Flex Apps Not many developers are aware of the fact that these decompilers are now capable of decompiling Flex projects in addition to Flash applications. Let’s take a look at this simple example.
  • 12. After the project is restored, you can then import the project back into Flash builder and change the project. Phishing attack is when a hacker tries to obtain user’s sensitive information by impersonating as a trustworthy entity.
  • 13. Hacking a template site As a second example I went to one of these Flash template site and used a Web Proxy to extract the swf URL and download the swf file to my desktop, then decompiled and opened in Flash Professional
  • 16. Loading the Flash app SWF file into another project
  • 17. Hackers gain access Slide from Deneb Meketa's security presentation at MAX
  • 18. Change properties on runtime Loading a swf file belonging to a Flex project and then having the accessing application make changes to the access application. In the example below the accessing application gains access to an application, and I was then able to change the text property on a label and even use a login service method. Create a new project.
  • 19. Cross Domain Policy At this point we are loading the accessed application from the same domain; however, if you place the accessed application and the accessing application on two separate domains and place a domain policy that allows accessing the domain from any domain, as in this example below, it will work.
  • 20. Allow cross domainwho can access? https used for Encryption, Authentication user, change data Avoid: allowInsecureDomain("*");
  • 21. Id request w/ Custom request headers - control what can be accessed All - any port Master Only - port 843 none - no socket policy files allowed
  • 22. Allow ports List of TCP and UDP port numbers http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
  • 23. Attacker figure out application source code
  • 24. Phishing for public methods In this example we have access to the source code; however, in case the attacker does not have access to the source code, they can find out the source code in two ways. Once the content is loaded we can actually place a break point and see all the methods we have access to, see figure below.
  • 25. Decompile accessed app Additionally, using decompiling software, the attacker can decompile the accessed application and browse through the classes
  • 26. Accessing other domain through the accessed application
  • 27. Similarly to the application I showed you previously, an attacker could load a SWF from a domain that has access to other domain and than make un-authorized service calls. For instance, let’s say that DomainA allow access to DomainB, as you can see from the Cross Domain policy below: Access SWF from another SWF
  • 28. Security.allowDomain(“*”) Avoid global (wild card) permissions!
  • 29. Load SWF and access The accessing application can load the SWF and access the service class to make an illegal call, and then it can retrieve the data. For instance, let’s assume that a site allows a certain authorized domain to make service calls but the API is not public. If the authorized domain holds a SWF that can be accessed, one can use that SWF to gain access to the API and make un-authorized service calls. this.content.document.service.send();
  • 31. How to avoid cross-scripting attacks
  • 32. Solution #1 Setting a restricted cross-domain policy that limits the domains that can access the application
  • 33. Solution #2 Use code obfuscation software such as secureSWF from Kindisoft (www.kindisoft.com/), which helps you to protect your ActionScript from Flash decompilers.
  • 34. Solution #3 Avoid using Security.allowDomain(“*”) method to permit access to all swfs. Set the ones you allow access.
  • 35. Cross-site scripting (XSS) vulnerability
  • 36. What is XSS? The idea is to involve more than one site, and that’s where the name (Cross-site) came from, a second site injects a script and can do anything it wants with the page. Examples?
  • 37. Account theft Account theft - Attackers can grab cookie information, which can lead to account hijacking since many cookies holds account information.
  • 38. Change page content Changing content on a page - Misleading user to re-enter their information on a phony site, place incorrect content or read user’s cookies.
  • 39. Vulnerability in Flex applications Flash Player is not vulnerable to cross scripting directly since the byte-code get compiled through the Virtual Machine (VM), However Flash is often used on a page that includes other scripts and your application may interact with other Web pages elements and that can open a security hole since Web page that generate content dynamically without filtering the results first. Attackers can exploit your application and create XSS.
  • 40. Inbound/outbound Slide from Deneb Meketa's security presentation at MAX
  • 41. Cross-Scripting attack to a WebPage from Flex
  • 43. Hackers can redirect <script>alert('Test')</script> <script type="text/javascript">window.location = "http://www.google.com/"</script>
  • 45. What’s Malicious data injection? In cases where a Web Page have permissions to reading and writing from and to a Web Page an attacker can abuse these and rewrite the a web page or redirect users from the Web Page to a phishing site, this type of a attack is know as malicious data injection attack or Script injection.
  • 46. Flash malicious data injection attack The attacker can inject data and create a cross-site scripting (XSS) attack. Coding in ActionScript and using APIs such as ExternalInterface, navigateToURL or getURL. The attacker can than redirect the URL and even post a JavaScript code, which would capture the user’s cookies with personal information.
  • 47. Example Let’s say we need a script to retrieve a parameter that was passed through the URL into the Flex application. As you know you can pass variables using FlashVar and than use the following syntax in Flex 4 To read the parameter: FlexGlobals.topLevelApplication.parameters.name However in case you want to pass the parameters through the URL you need to call the SWF directly like so: MyApp.swf?name=Elad My code allows me to read the parameter from the URL without calling the SWF directly.
  • 48. How it works? Here is how it works. I am registering a callback Javascript function called getParams and once the user click on a button I am calling the Javascript method getURLString, which retrieve the URL parameter and pass it back to the callback.
  • 50. Hacker abuse loophole ?name=Elad I pass the following parameter: ?name=%3Cscript%3Ealert('Elad')%3C/script%3E
  • 51. Cross-site scripting through navigation URLs
  • 52. Attacking browser example Attacking browser navigation URLs is a popular attack. Similar to the example I showed you at "Malicious data injection" section, attackers can inject data through URL. In addition to passing data through FlashVars it's common to use deep linking to change the application state. The application takes params through the URL and than create a link on the application.
  • 53.
  • 55. Flex 3 History management The same type of cross-site scripting we just showed you were found in the History Management handled by historyFrame.html in Flex 3. The vulnerability occurs in code used by the History Management feature. In case you use Flex 3 and use the History management features you need to upgrade to at least Flex 3.0.2 SDK Update or just replace the HTML files from Flex 3.02.
  • 56. How to avoid Cross-Scripting attack
  • 57. Whitelisting & Blacklisting The way to avoid must of cross-scripting attacks is to sufficiently sanitize user-supplied data, what it mean is that it’s a good practice to apply the same best practices as old-fashioned web application and to filter the data that user enters to insure that the user entered a proper format and contains only expected data. To avoid this type of vulnerability you can add a code to your Flex/Flash application that will stripe HTML tags, tag attributes, values, Javascript, CSS, HTML and URL. You can take the whitelist or blacklist approach in regards to validating the data. Whitelist is preferred, however whitelisting isn’t always possible so blacklisting can be used.
  • 59. allowScriptAccess options Slide from Deneb Meketa's security presentation at MAX
  • 60. Set allowScriptAccess correctly Slide from Deneb Meketa's security presentation at MAX
  • 62. Use RegExp to avoid attacks I am using the RegExpValidator component and pass the RegExp "((3C)|<). In case there is no match you’ll get: “field is invalid”. You can insert all the RegExp and see if you get zero results, which means that the expression was present. To read more see Symantec article: http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks
  • 63. Update Flash Player and SDK often Updating Flash Player and SDK. Adobe is constantly working to fight attackers. For instance during the upgrade to Flex SDK 3.4 Adobe have solved an issues regarding ticket CVE-2009-1879, which took care of Cross-site scripting (XSS) vulnerability in the index.template.html in SDK 3.3. When the installed Flash version was older than a specified requiredMajorVersion value it allowed the remote attackers to inject arbitrary web script or HTML via the query string.
  • 64. Common security on local builts:Flash Access The Internet
  • 65. swf trying to access the internet SecurityError: Error #2028: Local-with-filesystem SWF file file:///file.swf cannot access Internet URL http://...
  • 66. Solution http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html Add "trusted" locations 6 - Click on Edit Locations 7 - Click on Add Location 8 - Click on Browse for folder 9 - Select the folder were your flash app is
  • 67. Links: Elad Elrom’s articles http://www.insideria.com/2009/12/top-security-threats-to-flashf.html http://insideria.com/2010/06/top-security-threats-to-flashf-1.html The Flash Player Security Topic Center: http://www.adobe.com/devnet/security OWASPhttp://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project Q&A