attacking and defending flash applications. flash security i’ll talk about; o ria, web 2.0 and...
TRANSCRIPT
![Page 1: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/1.jpg)
Attacking and defending Flash Applications
![Page 2: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/2.jpg)
Flash Security
• I’ll talk about;o RIA, Web 2.0 and Securityo What is Crossdomain.xml? Why does it exist?o Only problem about Flash : XSSo XSS and Impact of XSS Attackso Attack Surface of Flash Applications
Global Parameters External Resources
o Same-origin Policy and Flash Embeddingo High Security Required Applications and Flash
• Not going to talk about these, at least not today;o Server-side Flash Securityo Attacking users via Flasho Flash Vulnerabilities
![Page 3: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/3.jpg)
RIA, Web 2.0 and Security
• Complexity is the worst enemy of security • Every new component in the browser is a new threat• AJAX, Silverlight, AIR, Flash, Java, Myspace Upload
ActiveX etc. All of these are potential security problems.
• Every new technology comes with new style of development and it takes time to have secure “best practices”.
![Page 4: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/4.jpg)
Crossdomain.xml & Same-Origin Policy• Same-Origin Policy
o Why Cross-domain access is a bad thing? Examples...
o Cookie, XMLHTTP Requests, Javascript etc. o Flash and Crossdomain.xml
![Page 5: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/5.jpg)
A Quite Naïve Crossdomain.xml File<cross-domain-policy> <allow-access-from domain="*" secure="false"/></cross-domain-policy>
![Page 6: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/6.jpg)
Demo
Stealing information via Flash by exploiting Crossdomain.xml trust.
http://examplebank.com http://attacker.com/
![Page 7: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/7.jpg)
XSS Tunnelling?
Tunnelling HTTP tarffic through XSS channels. Allows to bypassing IP Restrictions, VPN, basic auth etc.
![Page 8: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/8.jpg)
Attack Surface of Flash
• Global Parameters• Flashvars• Querystring• LoadVars• Configuration Files• Dynamically loaded Flash Animations
![Page 9: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/9.jpg)
Global Parameter Modification
• Who are these global parameters?• _root.• _global.• _level0.
![Page 10: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/10.jpg)
Flash Embedding
Limit Flash file’s access by setting Allowscriptaccess attribute to “noaccess” while embedding an external Flash animation.
![Page 11: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/11.jpg)
getURL()
• getURL problems• getURL(“javascript:alert(1)”)
![Page 12: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/12.jpg)
HTML Text Area
• If HTML enabled in the textareas and if the data loaded up dynamically
• http://example.com/XSS/riaac3.swf?_Ghtml=<img%20src="javascript:alert(1)//.jpg">
![Page 13: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/13.jpg)
LoadClip, xml.load
• Are external resources secure? Hardly coded or configuration files coming from a secure place?
• You should check for configuration location and should not this from the user input.
![Page 14: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/14.jpg)
Flash usage in highly security required systems• Why it can be a problem?• Increased attack surface
![Page 15: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/15.jpg)
Sum it up!
• You should limit Flash’s JavaScript access while embedding external Flash files.
![Page 16: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/16.jpg)
Sum it Up!
• Loaded configurations should be coming from trusted domains,
• Loaded external resources should be coming from trusted domains.
![Page 17: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/17.jpg)
Sum it Up!
• When you are using Htmltext be sure that loaded data is sanitised and encoded.
![Page 18: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/18.jpg)
References, Resources and Tools
• Flashsec Wiki• OWASP – Finding Vulnerabilities in Flash
Applications• SWFIntruder• Flare and similar decompilers
![Page 19: Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?](https://reader035.vdocument.in/reader035/viewer/2022062712/56649c715503460f94922aea/html5/thumbnails/19.jpg)
Thanks...