Category:OWASP Flash Security Project

Overview
The OWASP Flash Security Project is an open project for sharing knowledge in order to raise awareness of Flash application security.

Goals
The OWASP Flash Security Project aims to share guidelines, tools and resources for securing Flash applications.

Videos
[1] Understanding the Flash Player Security Model Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of Flash Player's security model. Approximately 1 hour long.

[2] Billy Wins A Cheeseburger A video by HP that explains a basic Flash vulnerability that can be found by decompilers. Approximately 3 minutes long.

[3] Blinded by Flash: Widespread Security Risks Flash Developers Don't See Prajakta Jagdale describes the attack surface flash applications have based on various things developers overlook. In this presentation she talks about the basic cross domain security model between flash applets, Cross Site Scripting attacks on Flash applications, Data injection attacks, Flash malware, decompilation of Flash swf files, code and binary obfuscation and many other attack vectors which a malicious attacker could use to hack Flash applications. Approximately 1 hour long.

[4] Deblaze - A Remote Method Enumeration Tool for Flex Servers This is an excellent 20 minute presentation from DefCon 17 by Jon Rose on how to test AMF services using the deBlaze tool that he authored.

[5] RIA Security: Real-World Lessons from Flash and Silverlight Jesse Collins from Microsoft's Silverlight team and Peleus Uhley from Adobe's Flash team discuss common threats to RIA applications. Approximately 1 hour long.

White Papers / Presentations
Flash

[1] Flash Parameter Injection pdf, IBM Rational Application Security Team, OWASP AppSec 2008, 24th September 2008, NYC, NY (USA)

[2] Testing Flash Applications using WebScarab pdf, Martin Clausen - Deloitte Denmark Chapter Meeting, March 12, 2008, Denmark

[3] Testing Flash Applications ppt, Stefano Di Paola, Owasp Appsec 2007, 17th May 2007, Milan (Italy).

[4] Testing and Exploiting Flash Applications pdf, Fukami, Chaos Computer Camp, 2007

[5] Finding Vulnerabilities in Flash Applications ppt, Stefano Di Paola, Owasp Appsec 2007, 15th November 2007, San Jose, CA (USA)

[6] Neat, New, and Ridiculous Flash Hacks - whitepaper: pdf, presentation:pdf, Mike Bailey, Black Hat DC 2010, Washington, DC (USA)

AMF

[1] DeBlaze: A remote enumeration tool for Flex servers pdf, Jon Rose, DefCon 17, 31 July 2009, Las Vegas, NV (USA)

University Research

[1] ActionScript bytecode verification with co-logic programming pdf, Brian W. DeVries, Gopal Gupta, Kevin W. Hamlen, Scott Moore, and Meera Sridhar of The University of Texas at Dallas, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security 2009.

[2] Creating a more sophisticated security platform for Flash, AIR and others ppt Presented at Adobe Systems, Inc. by Meera Sridhar, November, 2009

[3] ActionScript In-Lined Reference Monitoring in Prolog pdf, Meera Sridhar and Kevin W. Hamlen of The University of Texas at Dallas, Proceedings of the Twelfth Symposium on Practical Aspects of Declarative Languages (PADL), Jan 2010.

[4] ActionScript In-lined Reference Monitoring in Prolog pptx Presented at PADL 2010, Madrid, Spain by Meera Sridhar.

Articles
[1] Creating more secure SWF web applications This Adobe Developer Center article discusses secure ActionScript programming practices.

[2] A Lazy Pen Tester’s Guide to Testing Flash Applications A short blog describing some of the basic steps of testing Flash applications by iViZ.

[3] Penetrating Intranets through Adobe Flex Applications A short blog (03/17/2010) by Marcin Wielgoszewski of Gothan Digital Science introducing the Blazentoo tool and how to take advantage of open BlazeDS proxies.

[4] Pentesting Adobe Flex Applications with a Custom AMF Client A short blog (11/11/2009) by Marcin Wielgoszewski of Gothan Digital Science on how to write custom pyAMF-based clients for testing Flex services.

[5] Understanding the security changes in Flash Player 10 - This Adobe Developer Center article describes the new changes that affect security in the Flash Player 10. This includes information on changes to socket timing, policy file strictness, upload and download, RTMFP and full screen mode.

[6] User-initiated action requirements in Flash Player 10 - This Adobe Developer Center article describes the new user-initiated action requires in Flash Player 10. These requirements include chances to FileReference, Clipboard, full-screen mode and pop-up windows.

[7] Preparing for the Flash Player 9 April 2008 Security Update - This Adobe Developer Center article describes the new mitigations for DNS Rebinding (socket policy files), cross-site flashing and the introduction of cross-domain header meta-policies to help address attacks such as the UPnP attack.

[8] Security Changes in Flash Player 9 This Adobe Developer Center article describes the important changes that need to be made to existing crossdomain.xml and socket policy files. All websites that use cross-domain or socket policy files will need to implement these changes in order to be compatible with Adobe's new format. After the implementation of Phase II, Adobe will no longer support the old format.

[9] Cross-domain policy file usage recommendations for Flash Player This Adobe Developer Center article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server.

Example Vulnerabilities
The intent of this section is to provide real-world examples of exploitation. This can be useful for consultants to help demonstrate to clients that these techniques have been used in the wild. In some instances, these examples include individual SWFs that were copied to hundreds of web sites. Therefore, a consultant should look for these specific SWFs on a website when performing an assessment to ensure that they have a current version.

clickTAG Cross-site scripting It is very common for Flash-based advertisements to accept a FlashVar called, clickTAG. The clickTAG FlashVar is intended to tell the SWF where it should navigate to next. If the clickTAG FlashVar is passed directly to a browser navigation API, such as getURL, then the attacker can achieve cross-site scripting by changing the clickTAG URL to a javascript: URL. Passing unvalidated FlashVars directly to browser navigation calls is the most common form of cross-site scripting, in general. Cross-site scripting as the result of a manipulated clickTAG FlashVar is the most common manifestation of this vulnerability.

Cross-site Scripting through Flash in Gmail Based Services This is an example of a cross-site scripting vulnerability that was the result of passing tainted data to ExternalInterface.call.

XSS Vulnerabilities in Common Flash Files This paper by Rich Cannings shows sample attack URLs for individual SWFs that are hosted across hundreds of websites. The techniques demonstrated in this paper for achieving cross-site scripting including using javascript: URLs, asfunction: URLs, and loading malicious child SWFs (aka cross-site Flashing).

Useful Specifications
SWF File Format Specification This documents the file format and structure of SWF files.

AVM2 Specification Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

AMF3 Specification The specification for version 3 of AMF used by Flash Player.

AMF0 Specification The specification for the first generation of AMF (AMF 0) used by Flash Player.

RTMP Specification This is the specification for the Real Time Messaging Protocol used by SWF content

Video File Format Specification The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.

Cross-domain policy file specification This document serves as a reference for the structure and use of cross-domain policy files.

Third-party Security Libraries
AS3Crypto - An ActionScript 3.0 cryptography library.

as3corelib - An Adobe sponsored Google Code project that contains ActionScript 3.0 implementations of WS-Security, SHA, MD5 and other utilities.

Alchemy ActionScript 3 Crypto Wrapper - An Adobe labs project to port OpenSSL to ActionScript using Alchemy (previously known as Flacc). Includes the SHA1, SHA2, MD5, PKCS12 and AES from OpenSSL.

flash-validators - An Adobe sponsored Google Code project that contains ActionScript 2.0 and ActionScript 3.0 data validation libraries.

Protected Messaging Adaptor - This addition to the latest version of BlazeDS protects against an attack that allows an untrusted individual to subscribe to wildcard sub-topics. This threat is described within this blog by James Ward.

OWASP Tools
SWFIntruder OWASP Flash security testing tool

Disassemblers
Flasm Flasm provides both disassembly and assembly functionality.

Nemo440 Nemo440 is an AIR based ActionScript 3.0 disassembler.

swfdump The Adobe Flex SDK, when built with ant, creates the swfdump utility (overview).

ErlSWF A SWF disassembly tool based authored in Erlang

abcdump The abcdump tool can be built from the tamarin source tree to disassemble AS3 byte code.

010Editor This commercial tool has a template for analyzing AS2 byte code.

Decompilers
SWFScan This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content. Available for download from here: FTP

Flare Flare ActionScript 2.0 decompiler for Windows.

Buraks ActionScript Viewer ($): An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

SoThink Flash Decompiler ($): An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

Local Shared Object Editors
SolVE Cross-platform Local Shared Object editor and viewer.

.sol Editor Windows based Local Shared Object editor

AMF Tools
DeBlaze A free tool that attempts to identify AMF services through brute force, dictionary attacks.

Blazentoo Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. Blazentoo provides the ability to seamlessly browse web content, abusing insecurely configured Proxy Services.

WebScarab Full AMF support is currently checked into the main branch of the WebScarab project. It has not been rolled into the SourceForge or Java Web Start versions of the WebScarab project at the time of this writing.

WebScarab AMF Plugin This is a google code project to add AMF support as a plugin to WebScarab.

pinta Pinta is a utility that allows a developer to test services by making custom AMF service calls, and viewing detailed output. This Google Code project is based on Adobe AIR.

Charles Proxy ($): This is a basic HTTP proxy but it provides support for interpreting AMF communications. Costs approximately $50.

Burp Suite Professional ($): The 1.2.124 version of Burp Suite Pro adds AMF support to all tools except for Burp Intruder and Burp Scanner is updated to automatically place attack payloads within string-based AMF values.

Project Contributors
The Flash Security project is run by Peleus Uhley.

Project Sponsors
The Flash Security project is sponsored by