advertisement

Automated Flash/Flex Crawling & Scanning

100 %
0 %
advertisement
Information about Automated Flash/Flex Crawling & Scanning
Science-Technology

Published on September 18, 2008

Author: orysegal

Source: authorstream.com

advertisement

Automated Crawling & Security Testing of Flash/Flex Web Applications : Automated Crawling & Security Testing of Flash/Flex Web Applications Ronen Bachar Organization: IBM email: rbachar@il.ibm.com Phone: 09-9629852 14/9/2008 Agenda : 2 Agenda Introduction to Flash/Flex applications AMF High level description AMF data format and its usage Automated Flash Testing Challenges Automated Crawling Automated Testing Overview of security risks in Flash/Flex applications Flash/Flex Introduction : 3 Flash/Flex Introduction Flash Developed by Macromedia (now Adobe) Flash is used to create animations, ads, and various Web components, to integrate video into web pages and, more recently, to develop RIA Can be consumed as web page element or standalone application Includes Scripting languages - Action Script 1, 2 & 3 Flash player Runs Flash content (SWF file format) Available as a plug-in for browsers (such as Mozilla Firefox and Internet Explorer) or as standalone application Each version is completely backward-compatible Flash/Flex Introduction (ctd.) : 4 Flash/Flex Introduction (ctd.) Flex Flex provides a framework for developing RIAs that run in Flash Player Instead of forcing applications into the “animation” model, developers can program real applications using MXML (XML document) for layout user-interface components, and Action Script for programming Requires Flash Player v9 Same File Format (SWF) Supports only Action Script 3 AJAX-like attributes Flash/Flex Introduction (ctd.) : 5 Flash/Flex Introduction (ctd.) When Flash movie is embedded in Web page: Flash  DOM: interacts with DOM by executing JavaScript code JavaScript (HTML Host)  Flash Object Flash in HTML page : 6 Flash in HTML page AMF - ActionScript Message Format : 7 AMF - ActionScript Message Format A binary message format Used primarily to exchange data between Flash/Flex application and server side component, by serializing Action Script data types NetConnection uses AMF to send messages to a server to asynchronously invoke remote services (RPC) AMF 0, 3 - require Flash Player 9 AMF protocol specification is available (see references) Understanding AMF format is crucial for manipulating (fuzzing) applications that use AMF AMF Format Description : 8 AMF Format Description Version: 0, 3 Header(s): Header Name Data: Serialized data (binary) Message(s): Target URI: Service name/Response result Response URI: /id Data: Serialized data (binary) AMF Example : 9 AMF Example Request (raw format) Request (decoded) Response (decoded) Challenges of Crawling Flash : 10 Challenges of Crawling Flash In order to properly test Flash/Flex-based applications, we have to crawl them Detect server-side end-points (new URLs) Detect client-side states and logic (Flash Application tree) We must play the Flash movie in its “native” context Flash movie runs in the original HTML page Browser - include JavaScript engine (for JSFlash interaction) Use Flash Player plug-in We must support dynamic content too (where script creates content on the fly), parsing is not enough! Challenges of Crawling Flash (Cont.) : 11 Challenges of Crawling Flash (Cont.) States in Flash application Navigation in Flash application Blind Crawling (soundless, no pop-ups, no visuals) Support inline movie too Since Flash Player is designed only to play movies, its programming interface is limited State Management in Flash applications : 12 State Management in Flash applications Flash Applications are primarily based on animation. We encounter the following issues: How do we identify/define “application state”? How do we get the current state? Figuring out that the current state is over/idle? We define “state” as “GUI Object” container, i.e. Movie Clips, Buttons & Text Fields Heuristics & Flash Plug-in gives us hints that the player is “idle” Navigation in Flash Application : 13 Navigation in Flash Application Navigate Flash application in its native flow still hard to define correct “functional flow” Build application tree (each node represents a state) Get current state details (GUI Objects( Activate each GUI object according to type: Button – click on it, move mouse over a button area. TextField – fill it in MovieClip – click on it Navigating between states through Flash Unfortunately, navigating back is not trivial We need to store and play sequences Flash Application tree : 14 Flash Application tree Testing Flash Applications : 15 Identify controlled Flash parameters: Query parameters (from HTML) http://domain/movie.swf?param1=value1 FlashVars (from HTML) <param name="FlashVars" value=“param1=value1"> Uninstantiated variables (from Action Script) getURL (clickTag,'_self') Locate potentially dangerous code: Where controlled Flash parameters are used inside PDNFs (getURL, loadMovie, loadVariables, etc.) Save sequences leading to potentially dangerous code Associate with parameter Testing Flash Applications Testing Flash Applications (ctd.) : 16 Testing Flash Applications (ctd.) Mutation - Inject values to the parameters XSS: parm1=javascript:window.open(‘http://my.site’) XSF: param2=www.movie.swf Phishing: param3=www.my.site Validation Play relevant sequence belongs to mutated parameter Verify test results Browser events Action Script level Testing AMF Parameters : 17 Testing AMF Parameters Testing Server-side AMF-speaking end-points Using standard parameter tampering techniques on AMF message fields: XSS, SQLi, HTTP Response Splitting, Command Execution, Etc. Original Request Mutated Request Overview of security risks in Flash/Flex applications : 18 Overview of security risks in Flash/Flex applications XSS Through Flash Read & Write access to HTML page or javascript code XSF Read & Write access to SWF loader or HTML or javascript code Phishing Through Flash AMF Parameters XSS, SQLi Cross Domain Promiscuous Access Read & Write access to HTML page or javascript code Recommendations : 19 Recommendations HTML Code “allowNetworking” set to ‘internal’ “allowScriptAccess” set to ‘samedomain’ Perform data validation on variables sent to URL functions Refining access with “crossdomain.xml” Use fscommand or ExternalInterface.call Instead of "javascript:” Compiler settings: Compile Flash movie for Flash Player 8 or latter Set Omit trace flag References : 20 References Creating more secure SWF web applications: http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Adobe Flash Player 9 Security: http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf AMF 0 Specification: http://download.macromedia.com/pub/labs/amf/amf0_spec_121207.pdf AMF 3 Specification: http://download.macromedia.com/pub/labs/amf/amf3_spec_121207.pdf Testing Flash Applications (Stefano Di Paola / OWASP): http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf

Add a comment

Related presentations

Related pages

IBM Application Security Insider: Automated Crawling ...

The IBM Application Security Insider is a blog ... Automated Crawling & Security Testing of Flash/Flex ... (*hot*) subject of automated Flash/Flex ...
Read more

Automatic Web Application Security Scans or Manual ...

Automatic Web Application Security Scans or ... An automated web application security scanner such as ... The same as with the crawling, ...
Read more

Challenges of Automated Web Application Scanning

Challenges of Automated Web Application Scanning "Why automated scanning only solves half the problem." ... Many web sites are enormous and crawling
Read more

Using Burp as a Point-and-Click Scanner - PortSwigger Web ...

Using Burp As a Point-and-Click Scanner. ... Fully automated crawling of today's applications is problematic due to rapidly changing client-side ...
Read more

Acunetix Web Vulnerability Scanner Announces Full HTML5 ...

... Acunetix steps up to the challenge with the most comprehensive crawling and scanning ... automated detection of DOM ... Acunetix Web Vulnerability ...
Read more

FORCE Technology - Wind Energy Inspection and Consultancy ...

FORCE Technology - Wind Energy Inspection and Consultancy, ... AMS-40 automated track scanner: ... AMS-46 automated crawling scanner: ...
Read more

Web Vulnerability Scanner v10 Product Manual

Web Vulnerability Scanner support ... Web Vulnerability Scanner has finished crawling the ... Services Scanner performs automated ...
Read more

OWASP Israel 2008 Conference Ronen Bachar - OWASP

OWASP Israel 2008 Conference Ronen ... Automated Crawling & Security Analysis of Flash/Flex based Web ... problems of automated security ...
Read more