Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP 1 Flash Parameter Injection The OWASP Foundation OWASP 25/09/2008 Ayal Yogev Adi Sharabani IBM Rational Application Security.

Similar presentations


Presentation on theme: "OWASP 1 Flash Parameter Injection The OWASP Foundation OWASP 25/09/2008 Ayal Yogev Adi Sharabani IBM Rational Application Security."— Presentation transcript:

1 OWASP 1 Flash Parameter Injection The OWASP Foundation OWASP 25/09/2008 Ayal Yogev Adi Sharabani IBM Rational Application Security {ayal, adish}

2 OWASP 2 Agenda  Flash 101  Flash Security  The Problem  Flash Parameter Injection  Real Example  Testing

3 OWASP 3 F lash 101

4 OWASP 4 Background  Introduced in 1996  Adds animation and interactivity to Web pages  Contains a scripting language: Action Script  Very popular –Installed in over 99% of PCs  Advanced technologies: –Flex –Adobe AIR

5 OWASP 5 My Flash Movie My Flash Movie Accessing Flash movies  Can be embedded in HTML pages Host (Browser) Flash Player Flash Movie (SWF)

6 OWASP 6 Accessing Flash movies  Can be embedded in HTML pages  Can be accessed directly –http://host/movie.swf –A “dummy” HTML page may be created (browser dependant) –DOM access according to policy –Example (Firefox):

7 OWASP 7 Global Flash Variables  Action Script supports Global Variables  Global Variables can be assigned from outside the movie  Common use: if (_root.myparam == undefined) { _root.myparam = “my default value”; } if (_root.myparam == undefined) { _root.myparam = “my default value”; }

8 OWASP 8 Global Flash Variables  Action Script supports Global Variables  Global Variables can be assigned from outside the movie  Assigning Global Variables as parameters –Direct Reference –Embedded URI –Flash Attributes movie.swf?a=5&b=hello

9 OWASP 9 width="600" height="345"> { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/4128384/13/slides/slide_8.jpg", "name": "OWASP 9 width= 600 height= 345 >

10 OWASP 10 lash S ecurity

11 OWASP 11 Previous Research  Bypassing JavaScript Filters – the Flash! Attack Eye on Security, August 2002  Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach Scan Security Wire, April 2003  Testing Flash Applications Stefano Di Paola, May 2007  Finding Vulnerabilities in Flash Applications Stefano Di Paola, November 2007

12 OWASP 12 Controlling Global Flash Variables can result in...  Cross-Site Flashing  Cross-Site Scripting through Flash  Phishing  Flow Manipulation  …

13 OWASP 13 Cross-Site Flashing  A vulnerable movie is tricked into loading a malicious movie  The malicious movie gets access to the same sandbox  Can be achieved using methods like loadMovie*:  Attack Vector Flash Player Flash Movie Flash Player Malicious Flash if (_root.movieURI == undefined) { _root.movieURI = "http://host/movie.swf"; } loadMovieNum(_root.movieURI, 1); if (_root.movieURI == undefined) { _root.movieURI = "http://host/movie.swf"; } loadMovieNum(_root.movieURI, 1);

14 OWASP 14 Cross-Site Scripting through Flash  Classic XSS using a vulnerable Flash file  Can be triggered by the use of global flash variables in: –getURL using payload javascript:alert('XSS') –Load* functions using payload asfunction:getURL,javascript:alert('XSS') –TextField.htmlText using payload –...

15 OWASP 15 Cross-Site Scripting through Flash (Example)  Consider movie.swf containing the code: if (_root.url == undefined) { _root.url = "http://host/"; } getURL(_root.url); if (_root.url == undefined) { _root.url = "http://host/"; } getURL(_root.url);

16 OWASP 16 Normal Usage

17 OWASP 17 Normal Usage

18 OWASP 18 Normal Usage

19 OWASP 19 Cross-Site Scripting through Flash (Example) Attack Vector: if (_root.url == undefined) { _root.url = "http://host/"; } getURL(_root.url); if (_root.url == undefined) { _root.url = "http://host/"; } getURL(_root.url);

20 OWASP 20 Cross-Site Scripting through Flash (Example)

21 OWASP 21 Cross-Site Scripting through Flash (Example)

22 OWASP 22 Cross-Site Scripting through Flash (Example)

23 OWASP 23 T he P roblem

24 OWASP 24 The Missing Link  Flash cannot always load without the original HTML  Flash movies may rely on parts of the DOM to execute –Use JavaScript variables and methods –Use HTML Dom elements  Direct access to flash may be restricted due to security Host (Browser) Flash Player Flash Movie (SWF) Host (Browser) Flash Player Flash Movie (SWF)

25 OWASP 25 The Missing Link - Example

26 OWASP 26 The Missing Link - Example

27 OWASP 27 The Missing Link - Example

28 OWASP 28 The Missing Link - Example

29 OWASP 29 The Missing Link - Example

30 OWASP 30

31 OWASP 31 Known examples of Flash attacks involve accessing the movie directly

32 OWASP 32 BUT… Some Flash movies cannot load when accessed directly

33 OWASP 33 FPI Injecting global variables into Flash in its original HTML environment

34 OWASP 34 FPI T echniques

35 OWASP 35 Reflected FPI  Possible when the location of the Flash movie is retrieved through a URL parameter:  Attack example: # Embed the Flash movie print ' '; # Embed the Flash movie print ' '; '; '; movie.swf?globalVar=e-v-i-l

36 OWASP 36  Attack possible when global flash variables are received from HTML parameters without sanitization:  Attack occurs when victim is lured to click on a link line: # Read the 'language' parameter my $language = $params{language}; # Embed the Flash movie print ' '; # Read the 'language' parameter my $language = $params{language}; # Embed the Flash movie print ' '; Reflected FPI (Piggybacking FlashVars) English%26globalVar=e-v-i-l … … %26 is decoded to & English&globalVar=e-v-i-l

37 OWASP 37 # Embed the flash movie print " "; # Embed the flash movie print " "; FlashVars Injection  Possible when an attribute of object tag is received as a parameter:  Attack vector: 600%27%20flashvars=%27globalVar=e-v-i-l 600' flashvars='globalVar=e-v-i-l Decode values

38 OWASP 38 DOM Based FPI  document.location is used as a global Flash variable: var s = ''; var loc = encodeURI(document.location); s += ' '; document.write(s); var s = ''; var loc = encodeURI(document.location); s += ' '; document.write(s);

39 OWASP 39 DOM Based FPI (continued)  Attack vector:  The global variable is injected into the Flash movie embedded inside the DOM:

40 OWASP 40 DOM Based FPI (continued)  JavaScript function encodeURI is not sufficient in this case –Can prevent DOM based XSS but not DOM Based FPI –Does not encode all characters (e.g. ‘&’,’?’) –encodeURIComponent, escape or similar methods must be used –Appropriate encoding must be used (depending on context)  Attack is invisible to IDS and IPS –Data following ‘#’ is not sent to the server (‘?’ also works, but data following it is sent to the server)

41 OWASP 41 Persistent FPI  Shared local Flash objects (a.k.a. Flash cookies) –Used to store persistent data across multiple sessions and save Flash state  Storing shared local Flash objects: // Create a shared object mySharedObject = SharedObject.getLocal("sharedObjName"); // Store data in the shared object mySharedObject.data.name = "jsmith"; mySharedObject.data.homepage = "http://demo.testfire.net"; // Flush mySharedObject.flush(); // Create a shared object mySharedObject = SharedObject.getLocal("sharedObjName"); // Store data in the shared object mySharedObject.data.name = "jsmith"; mySharedObject.data.homepage = "http://demo.testfire.net"; // Flush mySharedObject.flush();

42 OWASP 42 Persistent FPI (continued)  Loading shared local Flash objects: // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal("sharedObjName"); // Check whether variable name exists if (mySharedObject.data.name == null) { // Shared object doesn't exist } else { // Read the name name = mySharedObject.data.name; // Read the homepage homepage = mySharedObject.data.homepage; } // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal("sharedObjName"); // Check whether variable name exists if (mySharedObject.data.name == null) { // Shared object doesn't exist } else { // Read the name name = mySharedObject.data.name; // Read the homepage homepage = mySharedObject.data.homepage; }

43 OWASP 43 Persistent FPI (continued)  Shared local Flash object is controlled by user input  Object is used inside the getURL method // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal(“urlToLoad"); // Check whether there is a shared object saved if(mySharedObject.data.url == null) { // Store the URL in a shared object mySharedObject.data.url = _root.inputURL; } // Get the URL getURL(mySharedObject.data.url); // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal(“urlToLoad"); // Check whether there is a shared object saved if(mySharedObject.data.url == null) { // Store the URL in a shared object mySharedObject.data.url = _root.inputURL; } // Get the URL getURL(mySharedObject.data.url); Host (Browser) Flash Player Flash Movie Flash Player Flash Movie

44 OWASP 44 Persistent FPI (continued)  After the first infection, XSS will be executed every time the movie is loaded  Attack can persist after vulnerability is fixed  IDS or IPS will only be able to detect initial infection

45 OWASP 45 Example CVE , CVE

46 OWASP 46 Adobe Presenter FPI Vulnerability  Illustration of the automatically created HTML: function showFlash(swf, w, h, loop) { var myLocation = document.location; //... s += '' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = document.location; //... s += '' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = encodeURI(document.location); //... s += '' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = encodeURI(document.location); //... s += '' //... document.write(s); }

47 OWASP 47 Adobe Presenter FPI Vulnerability (continued)  Movie Viewer.swf vulnerable to XSS through Flash: –Global parameter _url with payload “javascript:alert(‘XSS’)” –Global parameter baseurl with payload “asfunction:getURL,javascript:alert(‘XSS’)” –Works in Flash Player version 9,0,47,0 on both IE and Firefox  DOM based FPI allows the Flash to load within original HTML –Invisible to IPS/IDS  Vendors must recompile their Flash files to fix the problem

48 OWASP 48 Testing

49 OWASP 49 Testing  Identify controlled Flash parameters: –Query parameters (from HTML) –FlashVars (from HTML) –Uninstantiated variables (from Action Script)  Locate potentially dangerous code: –Where controlled Flash parameters are used inside methods like: getURL, loadMovie, etc. –Save sequences leading to potentially dangerous code –Associate with parameter

50 OWASP 50 Testing (continued)  Mutation - Inject values into the parameters –XSS: javascript:window.open(‘http://my.site’) –XSF: –Phishing:  Validation –Play relevant sequences belonging to mutated parameter –Verify test results –Browser events –Action Script level Test Flash movie within its original HTML environment

51 OWASP 51 More details  IBM Rational Application Security Insider Blog: (Containing presentation and whitepaper) –http://blog.watchfire.comhttp://blog.watchfire.com  Flash movie demonstrating XSF and XSS through Flash –http://demo.testfire.net/vulnerable.swfhttp://demo.testfire.net/vulnerable.swf  Contact: –Ayal Yogev (Senior Security Researcher): ayal –Adi Sharabani (Security Research Group Manager): adish

52 OWASP 52 Questions? Flash


Download ppt "OWASP 1 Flash Parameter Injection The OWASP Foundation OWASP 25/09/2008 Ayal Yogev Adi Sharabani IBM Rational Application Security."

Similar presentations


Ads by Google