« Blackbox vs. Whitebox - OWASP IL Presentation | Main | Winamp NowPlaying Unspecified Vulnerability: The Details »

September 18, 2008



HI, I've enjoyed your presentation at the OWASP IL.

Just wanted to mention that setting allowScriptAccess to sameDomain (slide 19) is the default and wouldn't be enough to prevent many of the attacks.

Indeed setting also allowNetworking="internal" will prevent most of the flaws opened by the aforementioned.


Err, the default of allowScriptAccess is "" (empty) as of player version 9,0,124,0, which has basically the same impact as "none" when directly calling SWFs.

With allowNetworking set to "internal" the Flash internal functions still work (Loader, Sockets etc.)


fukami, I'm afraid you are wrong, the default is "sameDomain".

Look for yourself, make sure you have 9,0,124,0 or above and go here:

The swf will be scripting you.


Gotcha! Especially ExternalInterface functions shouldn't work in the first place without embedding

Thanks for the example :)

The comments to this entry are closed.

Follow us on Twitter

AppScan Free Trial

Try IBM Security AppScan software at no charge.

Become a Fan