OWASP IL Flash Flex Automated Testing

50 %
50 %
Information about OWASP IL Flash Flex Automated Testing

Published on September 18, 2008

Author: orysegal

Source: authorstream.com

Automated Crawling & Security Testing of Flash/Flex Web Applications : Automated Crawling & Security Testing of Flash/Flex Web Applications Ronen Bachar Organization: IBM email: rbachar@il.ibm.com Phone: 09-9629852 14/9/2008 Agenda : 2 Agenda Introduction to Flash/Flex applications AMF High level description AMF data format and its usage Automated Flash Testing Challenges Automated Crawling Automated Testing Overview of security risks in Flash/Flex applications Flash/Flex Introduction : 3 Flash/Flex Introduction Flash Developed by Macromedia (now Adobe) Flash is used to create animations, ads, and various Web components, to integrate video into web pages and, more recently, to develop RIA Can be consumed as web page element or standalone application Includes Scripting languages - Action Script 1, 2 & 3 Flash player Runs Flash content (SWF file format) Available as a plug-in for browsers (such as Mozilla Firefox and Internet Explorer) or as standalone application Each version is completely backward-compatible Flash/Flex Introduction (ctd.) : 4 Flash/Flex Introduction (ctd.) Flex Flex provides a framework for developing RIAs that run in Flash Player Instead of forcing applications into the “animation” model, developers can program real applications using MXML (XML document) for layout user-interface components, and Action Script for programming Requires Flash Player v9 Same File Format (SWF) Supports only Action Script 3 AJAX-like attributes Flash/Flex Introduction (ctd.) : 5 Flash/Flex Introduction (ctd.) When Flash movie is embedded in Web page: Flash  DOM: interacts with DOM by executing JavaScript code JavaScript (HTML Host)  Flash Object Flash in HTML page : 6 Flash in HTML page AMF - ActionScript Message Format : 7 AMF - ActionScript Message Format A binary message format Used primarily to exchange data between Flash/Flex application and server side component, by serializing Action Script data types NetConnection uses AMF to send messages to a server to asynchronously invoke remote services (RPC) AMF 0, 3 - require Flash Player 9 AMF protocol specification is available (see references) Understanding AMF format is crucial for manipulating (fuzzing) applications that use AMF AMF Format Description : 8 AMF Format Description Version: 0, 3 Header(s): Header Name Data: Serialized data (binary) Message(s): Target URI: Service name/Response result Response URI: /id Data: Serialized data (binary) AMF Example : 9 AMF Example Request (raw format) Request (decoded) Response (decoded) Challenges of Crawling Flash : 10 Challenges of Crawling Flash In order to properly test Flash/Flex-based applications, we have to crawl them Detect server-side end-points (new URLs) Detect client-side states and logic (Flash Application tree) We must play the Flash movie in its “native” context Flash movie runs in the original HTML page Browser - include JavaScript engine (for JSFlash interaction) Use Flash Player plug-in We must support dynamic content too (where script creates content on the fly), parsing is not enough! Challenges of Crawling Flash (Cont.) : 11 Challenges of Crawling Flash (Cont.) States in Flash application Navigation in Flash application Blind Crawling (soundless, no pop-ups, no visuals) Support inline movie too Since Flash Player is designed only to play movies, its programming interface is limited State Management in Flash applications : 12 State Management in Flash applications Flash Applications are primarily based on animation. We encounter the following issues: How do we identify/define “application state”? How do we get the current state? Figuring out that the current state is over/idle? We define “state” as “GUI Object” container, i.e. Movie Clips, Buttons & Text Fields Heuristics & Flash Plug-in gives us hints that the player is “idle” Navigation in Flash Application : 13 Navigation in Flash Application Navigate Flash application in its native flow still hard to define correct “functional flow” Build application tree (each node represents a state) Get current state details (GUI Objects( Activate each GUI object according to type: Button – click on it, move mouse over a button area. TextField – fill it in MovieClip – click on it Navigating between states through Flash Unfortunately, navigating back is not trivial We need to store and play sequences Flash Application tree : 14 Flash Application tree Testing Flash Applications : 15 Identify controlled Flash parameters: Query parameters (from HTML) http://domain/movie.swf?param1=value1 FlashVars (from HTML) <param name="FlashVars" value=“param1=value1"> Uninstantiated variables (from Action Script) getURL (clickTag,'_self') Locate potentially dangerous code: Where controlled Flash parameters are used inside PDNFs (getURL, loadMovie, loadVariables, etc.) Save sequences leading to potentially dangerous code Associate with parameter Testing Flash Applications Testing Flash Applications (ctd.) : 16 Testing Flash Applications (ctd.) Mutation - Inject values to the parameters XSS: parm1=javascript:window.open(‘http://my.site’) XSF: param2=www.evil.site/movie.swf Phishing: param3=www.my.site Validation Play relevant sequence belongs to mutated parameter Verify test results Browser events Action Script level Testing AMF Parameters : 17 Testing AMF Parameters Testing Server-side AMF-speaking end-points Using standard parameter tampering techniques on AMF message fields: XSS, SQLi, HTTP Response Splitting, Command Execution, Etc. Original Request Mutated Request Overview of security risks in Flash/Flex applications : 18 Overview of security risks in Flash/Flex applications XSS Through Flash Read & Write access to HTML page or javascript code XSF Read & Write access to SWF loader or HTML or javascript code Phishing Through Flash AMF Parameters XSS, SQLi Cross Domain Promiscuous Access Read & Write access to HTML page or javascript code Recommendations : 19 Recommendations HTML Code “allowNetworking” set to ‘internal’ “allowScriptAccess” set to ‘samedomain’ Perform data validation on variables sent to URL functions Refining access with “crossdomain.xml” Use fscommand or ExternalInterface.call Instead of "javascript:” Compiler settings: Compile Flash movie for Flash Player 8 or later Set Omit trace flag References : 20 References Creating more secure SWF web applications: http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Adobe Flash Player 9 Security: http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf AMF 0 Specification: http://download.macromedia.com/pub/labs/amf/amf0_spec_121207.pdf AMF 3 Specification: http://download.macromedia.com/pub/labs/amf/amf3_spec_121207.pdf Testing Flash Applications (Stefano Di Paola / OWASP): http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf

Add a comment

Related presentations

Related pages

IBM Application Security Insider: Automated Crawling ...

... subject of automated Flash/Flex application security testing, ... automated Flash/Flex application security testing, at the recent OWASP IL ...
Read more

Category:OWASP Web Application Scanner Specification Project

... The Need for Automated Testing Tools ... • http://www.owasp.org/index.php/Testing_for_Application_Discovery_ ... • Flash/Flex • Java
Read more

Blackbox vs. Whitebox - OWASP IL Presentation

... at the recent OWASP IL conference that ... Security Testing of Flash/Flex Web ... and solutions for automated Flash/Flex application ...
Read more


Testing Guide; ModSecurity Ruleset; More... ... Statistics · Recent Changes: The Open Web Application Security Project (OWASP) is a 501(c)(3) ...
Read more

Automated Crawling & Security Testing of Flex - 豆丁网

Automated Crawling & Security Testing of Flash/Flex ... The OWASP Foundation OWASP http://www.owasp.org Automated Crawling ... rbachar@il .ibm.com Phone ...
Read more

Apache Flex - Wikipedia, the free encyclopedia

An automated testing harness to connect to all the ... An update to Flash Builder 4.5 and Flex 4.5 adds support for building Flex applications for ...
Read more

OWASP IL 2012 Advanced iPhone Hacking - AppSec Labs

OWASP IL 2012 Advanced iPhone ... Reversing (Android, Flex, .NET) No Peer Info (% Coverage thru BlackBox) No Automation No Scanners ... Automatic Static ...
Read more

Macromedia Flex Overview | PPT Directory

Automated Crawling & Security Testing of Flash/Flex Web ... //www.owasp.org/images/1/19/OWASP_IL ... Architect; Developer (ColdFusion, Flash, Flex, ...
Read more