Flash it baby!
whoami
Flash Isn’t Quite Dead Yet!
What’s on the Menu Today?
Introduction
Embedding into a HTML Page
Bug Hunting Strategy
What Type of Issues?
Insecure crossdomain.xml
Content Hijacking PoC Tool
CVE-2011-2461 - The Dead is Alive!
Finding CVE-2011-2461
CVE-2011-2461 Exploitation PoC
Important: Do Not Reinvent the Wheel!
Automated Testing
Updated SWFIntruder +
Try it on! Homework!
Manual Testing
Preparing the Environment (Windows)
Compiling HelloXSSWorld.as
Decompiling a SWF File
Decompiled, Now What?
Input Parameters - Sources
Sinks
Source <-> Sink Flow!
Insecure Policies in SWF Files
Sensitive Data / Hidden URLs / Gems!
Sensitive Data in Storage!
Find More! Be creative!
“ExternalInterface.call” XSS Confusion!
Bypassing Client Side Protections
More Issues…
FlashVars Tips!
Examples
Demo – Finding Vulnerabilities!
Used RegExes in Demo
Final Notes
Thank you! Questions? Really? Why?! ;)
References & Further Reading - 1
References & Further Reading - 2
References & Further Reading - 3
3.91M
Category: internetinternet
Similar presentations:
Web Attacks: cross-site request forgery, SQL injection, cross-site scripting
Web Attacks: cross-site request forgery, SQL injection, cross-site scripting
Top 10 Audit & Program Review Findings
Top 10 Audit & Program Review Findings
Endpoint Security and Analysis
Endpoint Security and Analysis
Security Monitoring
Security Monitoring
Common network attacks
Common network attacks
Top Ten способов предотвращения веб-уязвимостей по версии OWASP
Top Ten способов предотвращения веб-уязвимостей по версии OWASP
Modern development tools of dynamic content of the websites
Modern development tools of dynamic content of the websites
Unit 8: e-Commerce. P1 - Technologies. Objectives
Unit 8: e-Commerce. P1 - Technologies. Objectives
Introduction of Mobile. Cloud Computing
Introduction of Mobile. Cloud Computing
Cybersecurity
Cybersecurity

Flash it baby. Finding vulnerabilities in SWF files

1. Flash it baby!

Finding vulnerabilities in SWF files (v2.0)

2. whoami

♦ Security consultant at NCC Group
♦ +10 years in web application security
♦ Researcher and bug hunter (I am trying to be?!)
♦ @irsdl
♦ https://soroush.secproject.com/blog/
© NCC Group
2

3. Flash Isn’t Quite Dead Yet!





They ignore it, they laugh at it, but they have to fight it!
They may not use it, but probably have it!
SWF in JS libraries, HTML WYSIWYG editors, Players in CMSes, …
XSS is XSS no matter where it is!
© NCC Group
3

4. What’s on the Menu Today?

♦ Assumptions:
Client-side web application issues
SWF files in browsers via a website (not local with file system nor AIR apps)
♦ Excluded:
Making a website vulnerable by uploading a Flash file
Exploiting a website by creating a reflected Flash file (e.g. Rosetta Flash)
Attacking server-side
Nudity!!!
© NCC Group
4

5. Introduction

♦ ActionScript is based on ECMAScript
English     Русский Rules