Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

Finding Vulnerabilities in Flash Applications Stefano Di Paola CTO MindedSecurity [email_address] +393209495590

[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],$ Whoami^J

Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object]

Objectives ,[object Object],[object Object],[object Object],[object Object]

Flash Apps - Security Concerns ,[object Object],[object Object],[object Object],[object Object],[object Object]

SWF Client Side Attacks ,[object Object],[object Object],[object Object],[object Object],[object Object]

Cross Site Flashing (XSF) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Accomplishing an Attack using flawed SWF ,[object Object],<html> <body marginwidth="0" marginheight="0"> <embed width="100%" height="100%" name="plugin" src="http://Url/To/Swf" type="application/x-shockwave-flash"/> </body> </html>

Attack Example to a Flawed SWF ,[object Object],[object Object],[object Object],v1.loadv = function () { this.varTarget = new MovieClip(); _root.createEmptyMovieClip('varTarget', 10); var v2 = new XML(); v2.load( _root.test ); };

Accomplish an attack ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

The Attack Flow We will see the dangerous mechanisms that could lead to Client Side Attacks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Register Globals in ActionScript ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],if (_root.language != undefined) { Locale.DEFAULT_LANG = _root.language; } v5.load(Locale.DEFAULT_LANG + '/player_' + Locale.DEFAULT_LANG + '.xml');

Register Globals in Included Files 1/2 ,[object Object],[object Object],/* Level0 Movie */ _level0.DEMO_PATH = getHost(this._url); loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'upperlev.swf', (_level0.demo_level + 1)); .... /* Level1 Movie ' upperlev.swf ' */ .... loadMovieNum( _level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......

Register Globals in Included Files 2/2 ,[object Object],[object Object],/* Level1 Movie ' upperlev.swf ' */ .... loadMovieNum( _level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......

Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Attack Patterns – Quick Reference ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Attack Patterns – Quick Reference ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Attack Patterns – GetURL New Issue ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],getURL('javascript:SomeFunc( “ someValue ” )','','GET') ,[object Object],[object Object]

Attack Patterns – ExternalInterface New Issue ,[object Object],[object Object],public static call(methodName:String, [parameter1:Object]) ,[object Object]

External Interface Attack ,[object Object],[object Object],[object Object],flash.external.ExternalInterface.call( _root.callback ) __flash__toXML( (new Function( “ alert( ‘ Xss ’ ) ” )) ())

Attack Patterns – Font New Issue ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Modify the Data Flow 1/4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Modify the Data Flow 2/4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Modify the Data Flow 3/4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Modify the Data Flow 4/4 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recipe for Runtime Analysis ,[object Object],[object Object],[object Object],[object Object]

Find Undefined Vars @ Runtime ,[object Object],[object Object],[object Object],[object Object],_ root.__resolve = function (name){ // name is undefined }

Attack Patterns Array ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

A SWF Container ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Conclusions ,[object Object],[object Object],[object Object]

Thank you :) Questions? ,[object Object],[object Object],[object Object]

Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (19)

En vedette

En vedette (6)

Similaire à Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

Similaire à Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps (20)

Dernier

Dernier (20)

Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps