owasp_il_2008_ronen_bachar_ria
TRANSCRIPT
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
1/20
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Automated Crawling & SecurityTesting of Flash/Flex WebApplications
Ronen Bachar
Organization: IBM
email: [email protected]
Phone: 09-9629852
14/9/2008
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
2/20
OWASP 2
Agenda
Introduction to Flash/Flex applications
AMF
High level description
AMF data format and its usageAutomated Flash Testing Challenges
Automated Crawling
Automated Testing
Overview of security risks in Flash/Flexapplications
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
3/20
OWASP 3
Flash/Flex Introduction
FlashDeveloped by Macromedia (now Adobe)
Flash is used to create animations, ads, and various Webcomponents, to integrate video into web pages and, more
recently, to develop RIACan be consumed as web page element or standalone
application
Includes Scripting languages - Action Script 1, 2 & 3
Flash playerRuns Flash content (SWF file format)
Available as a plug-in for browsers (such as Mozilla Firefox andInternet Explorer) or as standalone application
Each version is completely backward-compatible
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
4/20
OWASP 4
Flash/Flex Introduction (ctd.)
FlexFlex provides a framework for developing RIAs that
run in Flash Player
Instead of forcing applications into the animationmodel, developers can program real applicationsusing MXML (XML document) for layout user-interfacecomponents, and Action Script for programming
Requires Flash Player v9
Same File Format (SWF)
Supports only Action Script 3
AJAX-like attributes
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
5/20
OWASP 5
Flash/Flex Introduction (ctd.)
When Flash movie is embedded in Web page:
Flash DOM: interacts with DOM by executingJavaScript code
JavaScript (HTML Host) Flash Object
Host (Browser)Host (Browser)
Flash PlayerFlash Player
Flash MovieFlash Movie(SWF)(SWF)
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
6/20
OWASP 6
Flash in HTML page
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
7/20
OWASP 7
AMF - ActionScript Message Format
A binary message format
Used primarily to exchange data between Flash/Flexapplication and server side component, by serializingAction Script data types
NetConnection uses AMF to send messages to a serverto asynchronously invoke remote services (RPC)
AMF 0, 3 - require Flash Player 9
AMF protocol specification is available (see references)
Understanding AMF format is crucial for manipulating(fuzzing) applications that use AMF
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
8/20
OWASP 8
AMF Format Description
Version: 0, 3
Header(s):
Header Name
Data: Serialized data (binary)Message(s):
Target URI: Service name/Response result
Response URI: /id
Data: Serialized data (binary)
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
9/20
OWASP 9
AMF Example
Request (raw format)
Request (decoded)
Response (decoded)
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
10/20
OWASP 10
Challenges of Crawling Flash
In order to properly test Flash/Flex-based applications,we have to crawl them
Detect server-side end-points (new URLs)
Detect client-side states and logic (Flash Application tree)
We must play the Flash movie in its native contextFlash movie runs in the original HTML page
Browser - include JavaScript engine (for JSFlash interaction)
Use Flash Player plug-in
We must support dynamic content too (where scriptcreates content on the fly), parsing is not enough!
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
11/20
OWASP 11
Challenges of Crawling Flash (Cont.)
States in Flash application
Navigation in Flash application
Blind Crawling (soundless, no pop-ups, no
visuals)Support inline movie too
Since Flash Player is designed only to playmovies, its programming interface is limited
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
12/20
OWASP 12
State Management in Flash applications
Flash Applications are primarily based onanimation. We encounter the following issues:
How do we identify/define application state?
How do we get the current state?
Figuring out that the current state is over/idle?
We define state as GUI Object container,i.e. Movie Clips, Buttons & Text Fields
Heuristics & Flash Plug-in gives us hints that theplayer is idle
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
13/20
OWASP 13
Navigation in Flash Application
Navigate Flash application in its native flowstill hard to define correct functional flow
Build application tree (each node represents a state)
Get current state details (GUI Objects)
Activate each GUI object according to type:Button click on it, move mouse over a button area.
TextField fill it in
MovieClip click on it
Navigating between states through FlashUnfortunately, navigating back is not trivial
We need to store and play sequences
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
14/20
OWASP 14
Flash Application tree
Root
(State A)MC2
(State B)
B1 B2 MC1
State F
State C
State EState D
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
15/20
OWASP15
Identify controlled Flash parameters:Query parameters (from HTML)
http://domain/movie.swf?param1=value1
FlashVars (from HTML)
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
16/20
OWASP16
Testing Flash Applications (ctd.)
Mutation - Inject values to the parametersXSS: parm1=javascript:window.open(http://my.site)
XSF: param2=www.movie.swf
Phishing: param3=www.my.site
Validation
Play relevant sequence belongs to mutated parameter
V
erify test results Browser events Action Script level
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
17/20
OWASP17
Testing AMF Parameters
Testing Server-side AMF-speaking end-points
Using standard parameter tampering techniqueson AMF message fields: XSS, SQLi, HTTP
Response Splitting, Command Execution, Etc.
' having 1=1--
Original Request Mutated Request
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
18/20
OWASP18
Overview of security risks in Flash/Flex applications
XSS Through FlashRead & Write access to HTML page or javascript code
XSFRead & Write access to SWF loader or HTML or
javascript codePhishing Through Flash
AMF ParametersXSS, SQLi
Cross Domain Promiscuous AccessRead & Write access to HTML page or javascript code
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
19/20
OWASP19
Recommendations
HTML CodeallowNetworking set to internal
allowScriptAccess set to samedomain
Perform data validation on variables sent to URL
functionsRefining access with crossdomain.xml
Use fscommand or ExternalInterface.call Insteadof "javascript:
Compiler settings:Compile Flash movie for Flash Player 8 or latter
Set Omit trace flag
-
8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA
20/20
OWASP20
References
Creating more secure SWF web applications:http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html
Adobe Flash Player 9 Security:http://www.adobe.com/devnet/flashplayer/articles/flash
_player_9_security.pdfAMF 0 Specification:
http://download.macromedia.com/pub/labs/amf/amf0_spec_121207.pdf
AMF 3 Specification:http://download.macromedia.com/pub/labs/amf/amf3_spec_121207.pdf
Testing Flash Applications (Stefano Di Paola / OWASP):http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf