owasp_il_2008_ronen_bachar_ria

8/8/2019 OWASP_IL_2008_Ronen_Bachar_RIA

1/20

Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Automated Crawling & SecurityTesting of Flash/Flex WebApplications

Ronen Bachar

Organization: IBM

email: [email protected]

Phone: 09-9629852

14/9/2008


2/20

OWASP 2

Agenda

Introduction to Flash/Flex applications

AMF

High level description

AMF data format and its usageAutomated Flash Testing Challenges

Automated Crawling

Automated Testing

Overview of security risks in Flash/Flexapplications


3/20

OWASP 3

Flash/Flex Introduction

FlashDeveloped by Macromedia (now Adobe)

Flash is used to create animations, ads, and various Webcomponents, to integrate video into web pages and, more

recently, to develop RIACan be consumed as web page element or standalone

application

Includes Scripting languages - Action Script 1, 2 & 3

Flash playerRuns Flash content (SWF file format)

Available as a plug-in for browsers (such as Mozilla Firefox andInternet Explorer) or as standalone application

Each version is completely backward-compatible


4/20

OWASP 4

Flash/Flex Introduction (ctd.)

FlexFlex provides a framework for developing RIAs that

run in Flash Player

Instead of forcing applications into the animationmodel, developers can program real applicationsusing MXML (XML document) for layout user-interfacecomponents, and Action Script for programming

Requires Flash Player v9

Same File Format (SWF)

Supports only Action Script 3

AJAX-like attributes


5/20

OWASP 5

Flash/Flex Introduction (ctd.)

When Flash movie is embedded in Web page:

Flash DOM: interacts with DOM by executingJavaScript code

JavaScript (HTML Host) Flash Object

Host (Browser)Host (Browser)

Flash PlayerFlash Player

Flash MovieFlash Movie(SWF)(SWF)


6/20

OWASP 6

Flash in HTML page


7/20

OWASP 7

AMF - ActionScript Message Format

A binary message format

Used primarily to exchange data between Flash/Flexapplication and server side component, by serializingAction Script data types

NetConnection uses AMF to send messages to a serverto asynchronously invoke remote services (RPC)

AMF 0, 3 - require Flash Player 9

AMF protocol specification is available (see references)

Understanding AMF format is crucial for manipulating(fuzzing) applications that use AMF


8/20

OWASP 8

AMF Format Description

Version: 0, 3

Header(s):

Header Name

Data: Serialized data (binary)Message(s):

Target URI: Service name/Response result

Response URI: /id

Data: Serialized data (binary)


9/20

OWASP 9

AMF Example

Request (raw format)

Request (decoded)

Response (decoded)


10/20

OWASP 10

Challenges of Crawling Flash

In order to properly test Flash/Flex-based applications,we have to crawl them

Detect server-side end-points (new URLs)

Detect client-side states and logic (Flash Application tree)

We must play the Flash movie in its native contextFlash movie runs in the original HTML page

Browser - include JavaScript engine (for JSFlash interaction)

Use Flash Player plug-in

We must support dynamic content too (where scriptcreates content on the fly), parsing is not enough!


11/20

OWASP 11

Challenges of Crawling Flash (Cont.)

States in Flash application

Navigation in Flash application

Blind Crawling (soundless, no pop-ups, no

visuals)Support inline movie too

Since Flash Player is designed only to playmovies, its programming interface is limited


12/20

OWASP 12

State Management in Flash applications

Flash Applications are primarily based onanimation. We encounter the following issues:

How do we identify/define application state?

How do we get the current state?

Figuring out that the current state is over/idle?

We define state as GUI Object container,i.e. Movie Clips, Buttons & Text Fields

Heuristics & Flash Plug-in gives us hints that theplayer is idle


13/20

OWASP 13

Navigation in Flash Application

Navigate Flash application in its native flowstill hard to define correct functional flow

Build application tree (each node represents a state)

Get current state details (GUI Objects)

Activate each GUI object according to type:Button click on it, move mouse over a button area.

TextField fill it in

MovieClip click on it

Navigating between states through FlashUnfortunately, navigating back is not trivial

We need to store and play sequences


14/20

OWASP 14

Flash Application tree

Root

(State A)MC2

(State B)

B1 B2 MC1

State F

State C

State EState D


15/20

OWASP15

Identify controlled Flash parameters:Query parameters (from HTML)

http://domain/movie.swf?param1=value1

FlashVars (from HTML)


16/20

OWASP16

Testing Flash Applications (ctd.)

Mutation - Inject values to the parametersXSS: parm1=javascript:window.open(http://my.site)

XSF: param2=www.movie.swf

Phishing: param3=www.my.site

Validation

Play relevant sequence belongs to mutated parameter

V

erify test results Browser events Action Script level


17/20

OWASP17

Testing AMF Parameters

Testing Server-side AMF-speaking end-points

Using standard parameter tampering techniqueson AMF message fields: XSS, SQLi, HTTP

Response Splitting, Command Execution, Etc.

' having 1=1--

Original Request Mutated Request


18/20

OWASP18

Overview of security risks in Flash/Flex applications

XSS Through FlashRead & Write access to HTML page or javascript code

XSFRead & Write access to SWF loader or HTML or

javascript codePhishing Through Flash

AMF ParametersXSS, SQLi

Cross Domain Promiscuous AccessRead & Write access to HTML page or javascript code


19/20

OWASP19

Recommendations

HTML CodeallowNetworking set to internal

allowScriptAccess set to samedomain

Perform data validation on variables sent to URL

functionsRefining access with crossdomain.xml

Use fscommand or ExternalInterface.call Insteadof "javascript:

Compiler settings:Compile Flash movie for Flash Player 8 or latter

Set Omit trace flag


20/20

OWASP20

References

Creating more secure SWF web applications:http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html

Adobe Flash Player 9 Security:http://www.adobe.com/devnet/flashplayer/articles/flash

_player_9_security.pdfAMF 0 Specification:

http://download.macromedia.com/pub/labs/amf/amf0_spec_121207.pdf

AMF 3 Specification:http://download.macromedia.com/pub/labs/amf/amf3_spec_121207.pdf

Testing Flash Applications (Stefano Di Paola / OWASP):http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf

owasp_il_2008_ronen_bachar_ria

Documents