« Blackbox vs. Whitebox - OWASP IL Presentation | Main | Winamp "NowPlaying" Unspecified Vulnerability: The Details »

September 18, 2008

Automated Crawling & Security Testing of Flash/Flex Web Applications

Ronen Bachar, from our own IBM Rational AppScan team, gave a presentation on the (*hot*) subject of automated Flash/Flex application security testing, at the recent OWASP IL conference that was held last week (I have a strange feeling of a Deja-Vu).

The presentation gives a high level overview of Flash, Flex and the AMF protocol, and dives into some gory details (although some gore is missing from the online presentation) regarding the challenges and possible approaches for performing automated crawling and security testing of web applications that were built using these technologies.




 

And while we're on the subject of Adobe Flash & Flex web applications - if you happen to be in New York next week for the OWASP AppSec conference, be sure to attend another presentation by our team (Adi Sharabani & Ayal Yogev), on the subject of Flash Parameter Injection.

Posted by Ory Segal on September 18, 2008 in Research, Web Application Scanners, Web Application Security |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835130c5153ef010534adf578970b

Listed below are links to weblogs that reference Automated Crawling & Security Testing of Flash/Flex Web Applications:

Comments

HI, I've enjoyed your presentation at the OWASP IL.

Just wanted to mention that setting allowScriptAccess to sameDomain (slide 19) is the default and wouldn't be enough to prevent many of the attacks.
http://blog.guya.net/2008/09/14/encapsulating-csrf-attacks-inside-massively-distributed-flash-movies-real-world-example/

Indeed setting also allowNetworking="internal" will prevent most of the flaws opened by the aforementioned.

Posted by: guya | September 18, 2008 at 05:47 PM

Err, the default of allowScriptAccess is "" (empty) as of player version 9,0,124,0, which has basically the same impact as "none" when directly calling SWFs.

With allowNetworking set to "internal" the Flash internal functions still work (Loader, Sockets etc.)

Posted by: fukami | September 21, 2008 at 07:41 PM

fukami, I'm afraid you are wrong, the default is "sameDomain".

Look for yourself, make sure you have 9,0,124,0 or above and go here:
http://blog.guya.net/wp-content/uploads/2008/09/screenclean_demo.swf

The swf will be scripting you.

Posted by: guya | September 23, 2008 at 12:40 AM

Gotcha! Especially ExternalInterface functions shouldn't work in the first place without embedding

Thanks for the example :)

Posted by: fukami | October 07, 2008 at 11:49 AM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment