IBM Application Security Insider: Automated Crawling Security Testing of Flash/Flex Web Applications

« Blackbox vs. Whitebox - OWASP IL Presentation | Main | Winamp NowPlaying Unspecified Vulnerability: The Details »

September 18, 2008

Automated Crawling & Security Testing of Flash/Flex Web Applications

Ronen Bachar, from our own IBM Rational AppScan team, gave a presentation on the (*hot*) subject of automated Flash/Flex application security testing, at the recent OWASP IL conference that was held last week (I have a strange feeling of a Deja-Vu).

The presentation gives a high level overview of Flash, Flex and the AMF protocol, and dives into some gory details (although some gore is missing from the online presentation) regarding the challenges and possible approaches for performing automated crawling and security testing of web applications that were built using these technologies.

And while we're on the subject of Adobe Flash & Flex web applications - if you happen to be in New York next week for the OWASP AppSec conference, be sure to attend another presentation by our team (Adi Sharabani & Ayal Yogev), on the subject of Flash Parameter Injection.

Posted by AppSecInsider on September 18, 2008 in Research, Web Application Scanners, Web Application Security | Permalink

Comments

HI, I've enjoyed your presentation at the OWASP IL.

Just wanted to mention that setting allowScriptAccess to sameDomain (slide 19) is the default and wouldn't be enough to prevent many of the attacks.
http://blog.guya.net/2008/09/14/encapsulating-csrf-attacks-inside-massively-distributed-flash-movies-real-world-example/

Indeed setting also allowNetworking="internal" will prevent most of the flaws opened by the aforementioned.

Posted by: guya | September 18, 2008 at 05:47 PM

Err, the default of allowScriptAccess is "" (empty) as of player version 9,0,124,0, which has basically the same impact as "none" when directly calling SWFs.

With allowNetworking set to "internal" the Flash internal functions still work (Loader, Sockets etc.)

Posted by: fukami | September 21, 2008 at 07:41 PM

fukami, I'm afraid you are wrong, the default is "sameDomain".

Look for yourself, make sure you have 9,0,124,0 or above and go here:
http://blog.guya.net/wp-content/uploads/2008/09/screenclean_demo.swf

The swf will be scripting you.

Posted by: guya | September 23, 2008 at 12:40 AM

Gotcha! Especially ExternalInterface functions shouldn't work in the first place without embedding

Thanks for the example :)

Posted by: fukami | October 07, 2008 at 10:49 AM

The comments to this entry are closed.

Follow us on Twitter

IBM Application Security Insider

Follow @AppSecInsider

AppScan Free Trial

Try IBM Security AppScan software at no charge.

Download the free trial

Search

Application Security Links

Become a Fan

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM shall not be liable for any direct or indirect damages arising out of use of this Weblog.

IBM Application Security Insider

September 18, 2008

Automated Crawling & Security Testing of Flash/Flex Web Applications

Comments

Follow us on Twitter

AppScan Free Trial

Search

Recent Posts

Archives

Categories

Application Security Links

Other Blogs We Read

Pages

Become a Fan