« Blackbox vs. Whitebox - OWASP IL Presentation | Main | Winamp NowPlaying Unspecified Vulnerability: The Details »

September 18, 2008

Comments

guya

HI, I've enjoyed your presentation at the OWASP IL.

Just wanted to mention that setting allowScriptAccess to sameDomain (slide 19) is the default and wouldn't be enough to prevent many of the attacks.
https://blog.guya.net/2008/09/14/encapsulating-csrf-attacks-inside-massively-distributed-flash-movies-real-world-example/

Indeed setting also allowNetworking="internal" will prevent most of the flaws opened by the aforementioned.

fukami

Err, the default of allowScriptAccess is "" (empty) as of player version 9,0,124,0, which has basically the same impact as "none" when directly calling SWFs.

With allowNetworking set to "internal" the Flash internal functions still work (Loader, Sockets etc.)

guya

fukami, I'm afraid you are wrong, the default is "sameDomain".

Look for yourself, make sure you have 9,0,124,0 or above and go here:
https://blog.guya.net/wp-content/uploads/2008/09/screenclean_demo.swf

The swf will be scripting you.

fukami

Gotcha! Especially ExternalInterface functions shouldn't work in the first place without embedding

Thanks for the example :)

The comments to this entry are closed.

Follow us on Twitter

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Become a Fan