Category:OWASP Flash Security Project

2012-04-17T18:32:21Z

Puhley: /* AMF Tools */

==== Main ====

== Overview ==

The OWASP Flash Security Project is an open project for sharing knowledge in order to raise awareness of Flash application security.

== Goals ==

The OWASP Flash Security Project aims to share guidelines, tools and resources for securing Flash applications.

 

== Table of Contents ==

{| cellspacing="1" cellpadding="1" border="0" style="width: 651px; height: 66px;"
|-
| '''Research'''
| '''References'''
| '''Tools'''
| '''Libraries'''
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Videos Videos]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#References References]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#OWASP_Tools OWASP Tools]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Third-party_Security_Libraries 3rd Party Libs]
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#White_Papers_.2F_Presentations White Papers/Presentations]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Useful_Specifications Specifications]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Static_Analysis Static Analysis]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Articles Articles]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Disassemblers Disassemblers]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Example_Vulnerabilities Example Vulnerabilities]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Decompilers Decompilers]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Obfuscators Obfuscators]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Local_Shared_Object_Editors LSO Editors]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#AMF_Tools AMF Tools]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Analysis Analysis/Defense]
|
|}

 

== Videos ==

* [http://tv.adobe.com/show/how-to-develop-secure-flash-platform-apps/ How to Develop Secure Flash Platform Apps] An Adobe TV series discussing how to author and test secure Flash applications. The presentations cover common vulnerabilities in SWF content and how to avoid them. Each video is about 5-10 minutes long and is by Peleus Uhley.

* [http://tv.adobe.com/watch/max-2010-develop/creating-secure-actionscript-applications/ Creating Secure ActionScript Applications] An hour long video targeted at developers and QEs on creating secure Flash applications from Adobe MAX 2010. Adobe MAX is Adobe's developer conference. The talk is by Peleus Uhley.

* [http://vimeo.com/15506137 Assessing, Testing & Validating Flash Content] A 45 minute talk from OWASP AppSec USA 2010 on how to assess and test Flash applications. The talk is by Peleus Uhley.

* [http://tv.adobe.com/#vi+f15384v1102 Understanding the Flash Player Security Model] Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of Flash Player's security model. Approximately 1 hour long.

* [http://h30431.www3.hp.com/index.jsp?fr_story=3a98c704f7ef61299c19ef1f648f1acb1a5aeab8&rf=bm Billy Wins A Cheeseburger] A video by HP that explains a basic Flash vulnerability that can be found by decompilers. Approximately 3 minutes long.

* [http://securitytube.net/Hacking-Flash-Applications-for-Fun-and-Profit-(Blackhat)-video.aspx Blinded by Flash: Widespread Security Risks Flash Developers Don't See] Prajakta Jagdale describes the attack surface flash applications have based on various things developers overlook. In this presentation she talks about the basic cross domain security model between flash applets, Cross Site Scripting attacks on Flash applications, Data injection attacks, Flash malware, decompilation of Flash swf files, code and binary obfuscation and many other attack vectors which a malicious attacker could use to hack Flash applications. Approximately 1 hour long.

* [https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Jon%20Rose%20-%20Deblaze%20A%20Remote%20Method%20Enumeration%20Tool%20for%20Flex%20Servers%20-%20Video%20and%20Slides.m4v Deblaze - A Remote Method Enumeration Tool for Flex Servers] This is an excellent 20 minute presentation from DefCon 17 by Jon Rose on how to test AMF services using the deBlaze tool that he authored.

* [http://technet.microsoft.com/en-us/security/ee460903.aspx#ria RIA Security: Real-World Lessons from Flash and Silverlight] Jesse Collins from Microsoft's Silverlight team and Peleus Uhley from Adobe's Flash team discuss common threats to RIA applications. Approximately 1 hour long.

 

== White Papers / Presentations ==

'''Flash'''

* '''Flash Parameter Injection''' [http://blog.watchfire.com/FPI.pdf pdf], IBM Rational Application Security Team, [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference OWASP AppSec 2008], 24th September 2008, NYC, NY (USA)

* '''Testing Flash Applications using WebScarab''' [https://www.owasp.org/images/5/58/Testing_Flash_Applications.pdf pdf], Martin Clausen - Deloitte [http://www.owasp.org/index.php/Denmark Denmark Chapter Meeting], March 12, 2008, Denmark

* '''Testing Flash Applications''' [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda Owasp Appsec 2007], 17th May 2007, Milan (Italy).

* '''Testing and Exploiting Flash Applications''' [http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf pdf], Fukami, Chaos Computer Camp, 2007

* '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose, CA (USA)

* '''Neat, New, and Ridiculous Flash Hacks''' - whitepaper: [http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-wp.pdf pdf], presentation:[http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-slides.pdf pdf], Mike Bailey, Black Hat DC 2010, Washington, DC (USA)

 '''AMF'''

* '''Pentesting Adobe Flex Applications''' - [http://www.gdssecurity.com/l/OWASP_NYNJMetro_Pentesting_Flex.pdf pdf], Marcin Wielgoszewski, April 2010 OWASP NYC Chapter Meeting, NYC, NY (USA)

* '''DeBlaze: A remote enumeration tool for Flex servers''' [http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-jon_rose-deblaze.pdf pdf], Jon Rose, [http://www.defcon.org/html/links/dc-archives/dc-17-archive.html#Rose DefCon 17], 31 July 2009, Las Vegas, NV (USA)

 '''University Research'''

* '''ActionScript bytecode verification with co-logic programming''' [http://portal.acm.org/citation.cfm?id=1554339.1554342 pdf], Brian W. DeVries, Gopal Gupta, Kevin W. Hamlen, Scott Moore, and Meera Sridhar of The University of Texas at Dallas, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security 2009.

* '''Creating a more sophisticated security platform for Flash, AIR and others''' [http://www.utdallas.edu/~mxs072100/Adobe.ppt ppt] Presented at Adobe Systems, Inc. by Meera Sridhar, November, 2009

* '''ActionScript In-Lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl.pdf pdf], Meera Sridhar and Kevin W. Hamlen of The University of Texas at Dallas, Proceedings of the Twelfth Symposium on Practical Aspects of Declarative Languages (PADL), Jan 2010.

* '''ActionScript In-lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl10.pptx pptx] Presented at PADL 2010, Madrid, Spain by Meera Sridhar.

 

== Articles ==

'''Development'''
* [http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Creating more secure SWF web applications] This Adobe Developer Center article discusses secure ActionScript programming practices.

* [http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html Cross-domain policy file usage recommendations for Flash Player] This Adobe Developer Center article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server.

* [http://www.insideria.com/2010/03/flash-player-10-security-model.html Flash Player 10 Security Model: Stakeholders and Sandboxes] This is an article that condenses the official Flash Player Security Model down to a one page article discussing the stakeholders and sandboxes.

* [http://theflashblog.com/?p=419 AMFPHP Security Basics] This a blog covering how to secure AMFPHP version 1.9 and higher. AMFPHP is server-side code that receives AMF requests from Flash clients.

* [http://blogs.adobe.com/asset/2009/11/securely_deploying_cross-domai.html Securely Deploying Cross-Domain Policy files] This Adobe ASSET blog provides 5 tips for securely deploying cross-domain policy files.

* [http://askmeflash.com/article/16/securing-your-flash-application Securing your Flash Application] A quick ten item checklist of high level things to look for in your SWF before shipping.

* [http://www.senocular.com/flash/tutorials/contentdomains/ Security Domains, Application Domains, and More in ActionScript 3.0] A fairly in depth article by Senocular.com explaining security domains, application domains, cross-domain policy files, allowDomain() and more.

'''Penetration Testing'''
* [http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/ A Lazy Pen Tester’s Guide to Testing Flash Applications] A short blog describing some of the basic steps of testing Flash applications by iViZ.

* [http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/ Penetrating Intranets through Adobe Flex Applications] A short blog (03/17/2010) by Marcin Wielgoszewski of Gothan Digital Science introducing the [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] tool and how to take advantage of open BlazeDS proxies.

* [http://www.gdssecurity.com/l/b/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client/ Pentesting Adobe Flex Applications with a Custom AMF Client] A short blog (11/11/2009) by Marcin Wielgoszewski of Gothan Digital Science on how to write custom pyAMF-based clients for testing Flex services.

* [http://erlend.oftedal.no/blog/?blogid=103 Client-side Remote File Inclusion in Flash] This blog discusses how to perform cross-site scripting attacks against applications that read in XML configuration files.

* [http://code.google.com/p/doctype/wiki/ArticleFlashSecurity Flash Security] A Google code article on different types of cross-site scripting and crossdomain.xml attacks.

'''Updates to the Flash Player Security Model'''
* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10.1_air2_security_changes.html Understanding the security changes in Flash Player 10.1 and AIR 2] - This Adobe Developer Center article describes the new changes that affect security in Flash Player 10.1 and AIR. This article discusses a new feature, LoaderContext.allowCodeImport, which can help in safely loading remote content via loadBytes(). It also discusses minor changes in behavior that may require action by the developer.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html Understanding the security changes in Flash Player 10] - This Adobe Developer Center article describes the new changes that affect security in the Flash Player 10. This includes information on changes to socket timing, policy file strictness, upload and download, RTMFP and full screen mode.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_uia_requirements.html User-initiated action requirements in Flash Player 10] - This Adobe Developer Center article describes the new user-initiated action requires in Flash Player 10. These requirements include chances to FileReference, Clipboard, full-screen mode and pop-up windows.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html Preparing for the Flash Player 9 April 2008 Security Update] - This Adobe Developer Center article describes the new mitigations for DNS Rebinding (socket policy files), cross-site flashing and the introduction of cross-domain header meta-policies to help address attacks such as the UPnP attack.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html Security Changes in Flash Player 9] This Adobe Developer Center article describes the important changes that need to be made to existing crossdomain.xml and socket policy files. All websites that use cross-domain or socket policy files will need to implement these changes in order to be compatible with Adobe's new format. After the implementation of Phase II, Adobe will no longer support the old format.

 

== Example Vulnerabilities ==

''The intent of this section is to provide real-world examples of exploitation. This can be useful for consultants to help demonstrate to clients that these techniques have been used in the wild. In some instances, these examples include individual SWFs that were copied to hundreds of web sites. Therefore, a consultant should look for these specific SWFs on a website when performing an assessment to ensure that they have a current version.''

* [http://web.appsec.ws/FlashExploitDatabase.php Flash Exploit Database] This contains a list of popular, shared SWFs that have cross-site scripting vulnerabilities.

* [http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html Cross-site Scripting through Flash in Gmail Based Services] - This is an example of a cross-site scripting vulnerability that was the result of passing tainted data to ExternalInterface.call.

* [http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw XSS Vulnerabilities in Common Flash Files] - This paper by Rich Cannings shows sample attack URLs for individual SWFs that are hosted across hundreds of websites. The techniques demonstrated in this paper for achieving cross-site scripting including using javascript: URLs, asfunction: URLs, and loading malicious child SWFs (aka cross-site Flashing).

* [http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004514.html clickTAG Cross-site scripting] - It is very common for Flash-based advertisements to accept a FlashVar called, clickTAG. If the clickTAG FlashVar is passed directly to a browser navigation API, such as getURL, then the attacker can achieve cross-site scripting by changing the clickTAG URL to a javascript: URL. Cross-site scripting as the result of a manipulated clickTAG FlashVar is the most common manifestation of cross-site scripting in Flash content.

* [http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html I used to know what you watched on YouTube] - Jeremiah Grossman's blog post regarding his attack on youTube.com's "*.google.com" cross-domain permission.

 

== References ==

* [http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004) OWASP Testing Guide: Testing for cross-site flashing] - Covers finding both cross-site scripting and cross-site flashing.

* [http://www.adobe.com/devnet/flashplayer/security.html Adobe Flash Player Developer Center Security section] - Where Adobe posts articles and information related to Flash Player security.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html Adobe Flash Player 10 Security Model]

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf Adobe Flash Player 9 Security Model]

* [http://www.adobe.com/support/security/ Adobe Security Bulletins and Advisories] This is where Adobe posts all of their security advisories and bulletins.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7f9b.html Applying Flex Security] The security chapter from the Adobe Flex 4 manual.

* [http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9b90204-7d23.html Flash Player Security] The security chapter from the Programming ActionScript 3.0 section the Flash CS4 Documentation.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7d14.html Developing and Loading Sub-applications] This Flex SDK framework allows two or more untrusted SWFs to pass limited information between each other through the use of Shared Events.

 
== Useful Specifications ==

* [http://www.adobe.com/devnet/swf/ SWF File Format Specification] This documents the file format and structure of SWF files.

* [http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf AVM2 Specification] Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf3_spec_05_05_08.pdf AMF3 Specification] The specification for version 3 of AMF used by Flash Player.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf0_spec_121207.pdf?version=1 AMF0 Specification] The specification for the first generation of AMF (AMF 0) used by Flash Player.

* [http://www.adobe.com/devnet/rtmp/ RTMP Specification] This is the specification for the Real Time Messaging Protocol used by SWF content

* [http://www.adobe.com/devnet/flv/ Video File Format Specification] The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.

* [http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html Cross-domain Policy File Specification] This document serves as a reference for the structure and use of cross-domain policy files.

* [http://www.mozilla.org/projects/tamarin/ Tamarin Open Source Project] The Tamarin virtual machine is used within the Adobe Flash Player and is also being adopted for use by projects outside Adobe. The Tamarin just-in-time compiler (the "NanoJIT") is a collaboratively developed component used by both Tamarin and Mozilla TraceMonkey.

 

== Third-party Security Libraries ==

* [http://crypto.hurlant.com/ AS3Crypto] - An ActionScript 3.0 cryptography library.

* [http://code.google.com/p/as3corelib/ as3corelib] - An Adobe sponsored Google Code project that contains ActionScript 3.0 implementations of WS-Security, SHA, MD5 and other utilities.

* [http://labs.adobe.com/wiki/index.php/Alchemy:Libraries Alchemy ActionScript 3 Crypto Wrapper] - An Adobe labs project to port OpenSSL to ActionScript using Alchemy (previously known as Flacc). Includes the SHA1, SHA2, MD5, PKCS12 and AES from OpenSSL.

* [http://code.google.com/p/flash-validators/ flash-validators] - An Adobe sponsored Google Code project that contains ActionScript 2.0 and ActionScript 3.0 data validation libraries.

* [http://bugs.adobe.com/jira/browse/BLZ-415 Protected Messaging Adaptor] - This addition to the latest version of BlazeDS protects against an attack that allows an untrusted individual to subscribe to wildcard sub-topics. This threat is described within this [http://www.jamesward.com/blog/2009/07/22/protected-messaging-in-flex-with-blazeds-and-lcds/ blog] by James Ward.

* [http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/mx/validators/package-detail.html Flex validators] - Validation routines contained within the Adobe Flex SDK.

 

== OWASP Tools ==

* [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder] OWASP Flash security testing tool

 
== Static Analysis ==

* [http://opensource.adobe.com/wiki/display/flexpmd/FlexPMD FlexPMD] Performs general code analysis with a few security checks.

* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Fortify Static Code Analyzer] '''($)''' Fortify's SCA supports searching for vulnerabilities within ActionScript 3.0, Flex 3 and Flex 4 applications.

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/ FlashDiggity] FlashDiggity is part of the SearchDiggity tool created by the Stach & Liu consulting firm. It will decompile the SWF and use regular expressions to search for strings that are security related.

* [http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167 SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

 

== Disassemblers ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] An Adobe Labs project that performs disassembly of ActionScript 2 and ActionScript 3. Also shows SWF Tag information.

* [http://flasm.sourceforge.net/ Flasm] Flasm provides both disassembly and assembly functionality.

* [http://www.docsultant.com/nemo440/ Nemo440] Nemo440 is an AIR based ActionScript 3.0 disassembler.

* [http://opensource.adobe.com/svn/opensource/flex/sdk/trunk/bin/ swfdump] The Adobe Flex SDK, when built with ant, creates the swfdump utility ([http://blogs.adobe.com/gosmith/2008/02/disassembling_a_swf_with_swfdu_1.html overview]).

* [http://code.google.com/p/erlswf/ ErlSWF] A SWF disassembly tool based authored in Erlang

* [http://www.masonchang.com/2008/06/building-abcdump.html abcdump] The abcdump tool can be built from the tamarin source tree to disassemble AS3 byte code.

* [http://www.sweetscape.com/010editor/ 010Editor] This commercial tool has a [http://www.sweetscape.com/010editor/templates/files/SWFTemplate.bt template] for analyzing AS2 byte code.

* [http://segfaultlabs.com/swfutils swfutils] An ActionScript 3 library for disassembling SWF files.

* [https://github.com/CyberShadow/RABCDAsm#readme RABCDAsm] RABCDAsm is a collection of utilities including an ActionScript 3 assembler/disassembler, and a few tools to manipulate SWF files.

* [http://yogda.com/ Yogda AVM2 Workbench] Yogda® is a development tool for intermediate/advanced actionscript programmers. It includes an AVM2 disassembler.

 

== Decompilers ==

* [http://www.flash-decompiler.com/ Flash Decompiler Trillix] '''($):''' Windows and Mac versions. Supports ActionScript 2.0 and ActionScript 3.0, Flash 5, 6, 7, 8, 9, 10, Flash CS5 and Flex. Able to extract resources,edit SWF elements and provide a source FLA file. Costs @ $80 plus tax/shipping.

* [https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

* [http://www.nowrap.de/flare.html Flare] Flare ActionScript 2.0 decompiler for Windows, Linux and Mac OS X.

* [http://www.buraks.com/asv/ Buraks ActionScript Viewer] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.sothink.com/product/flashdecompiler/ SoThink Flash Decompiler] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.dcomsoft.com/download/dfdinstall.exe Dump Flash Decompiler] Freeware program that treats compressed and decompressed SWF-files and shows the detailed structure in the tree form. Windows.

 

== Obfuscators ==

It should be noted that no obfuscator can protect a SWF from being reverse engineered. An attacker will always be able to extract data from SWFs if they believe it is worth the effort. Obfuscators are only serve as a deterrent for preventing casual inspection of the SWF.

It should also be noted that some obfuscators generate SWFs that do not conform to the Adobe SWF file format specification. Flash Player may still be able to play them but they do not conform to the spec. This could lead to some security tools such as Blitzablieter rejecting them as potentially malicious.

*[http://www.dcomsoft.com/ DComSoft SWF Protector] '''($):''' ActionScript 2.0/3.0 obfuscator for protecting your SWF files from Flash Decompilers. Available for Windows, Mac OS, Linux. Costs approximately $40.

 

== Local Shared Object Editors ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Cross-platform tool for viewing and editing LSOs.

* [http://blog.coursevector.com/flashbug Flashbug] An extension for the Firefox Firebug plugin.

* [http://solve.sourceforge.net/ SolVE] Cross-platform Local Shared Object editor and viewer.

* [http://sourceforge.net/projects/soleditor/ .sol Editor] Windows based Local Shared Object editor

 

== AMF Tools ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Allows sending of custom messages, simple fuzzing and service identification of AMF endpoints.

* [http://blog.coursevector.com/flashbug Flashbug] An extension for the Firefox Firebug plugin that allows you to view AMF data sent to and from the page to the server.

* [http://deblaze-tool.appspot.com/ DeBlaze] A free tool that attempts to identify AMF services through brute force, dictionary attacks.

* [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. Blazentoo provides the ability to seamlessly browse web content, abusing insecurely configured Proxy Services.

* [http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Full AMF support is currently checked into the main branch of the WebScarab project. It has not been rolled into the SourceForge or Java Web Start versions of the WebScarab project at the time of this writing.

* [http://code.google.com/p/webscarab-amf-plugin/ WebScarab AMF Plugin] This is a google code project to add AMF support as a plugin to WebScarab.

* [http://amfparser.codeplex.com/ AMF Parser] AMFParser plugin for Fiddler2 web debugger. It can be used for parsing and displaying AMF data inside HTTP's POST requests and responses.

* [http://code.google.com/p/pinta/ pinta] Pinta is a utility that allows a developer to test services by making custom AMF service calls, and viewing detailed output. This Google Code project is based on Adobe AIR.

* [http://www.charlesproxy.com/ Charles Proxy] '''($):''' This is a basic HTTP proxy but it provides support for interpreting AMF communications. Costs approximately $50.

* [http://releases.portswigger.net/2009/08/v1214.html Burp Suite Professional] '''($):''' The 1.2.124 version of Burp Suite Pro adds AMF support to all tools except for Burp Intruder and Burp Scanner is updated to automatically place attack payloads within string-based AMF values.

* [http://george.hedfors.com/content/action-message-format-amf-shell AMF Shell] AMF Shell is a command line utility based on Python that enumerates services and allows the user to send customized AMF messages to a server.

 

== Cross-Domain Tools ==

* [http://web.appsec.ws/Tools/Crossdomain.swf Cross-domain Policy Analyzer] A tool to test your cross-domain policy file by Jason Calvert of WhiteHat Security.

 

== Analysis ==

* [http://www.utdallas.edu/~mxs072100/ASIRM_project.html Certifying IRM for ActionScript Bytecode] This page contains the binaries for Meera Sridhar's research into using In-lined Reference Monitors to rewrite ActionScript bytecode for the purposes of policy enforcement. This project is currently targeted at AVM2 code.

* [http://blitzableiter.recurity.com/ Blitzablieter] Blitzablieter is a project currently run by Recurity Labs and the German government. The goal is to prevent malicious SWFs from entering a network through normalization and policy enforcement. This project currently handles AVM1 code.

* [http://wepawet.iseclab.org/ Wepawet] Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. It is currently run by University of California, Santa Barbara.

* [https://github.com/sporst/SWFREtools/ SWFRETools] The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.

 

== Project Contributors ==

The Flash Security project is run by [[:User:Puhley|Peleus Uhley]].

== Project Sponsors ==

The Flash Security project is sponsored by [http://www.mindedsecurity.com [[Image:|MindedLogo.PNG]]]

==== Project Identification ====

{{Template:Project Details/OWASP_Flash_Security_Project | OWASP Project Identification Tab}}

__NOTOC__ <headertabs />

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Flash Security Project]] [[Category:OWASP_Download]] [[Category:OWASP_Tool]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]

Category:OWASP Flash Security Project

2012-03-26T22:41:24Z

Puhley: /* AMF Tools */

==== Main ====

== Overview ==

The OWASP Flash Security Project is an open project for sharing knowledge in order to raise awareness of Flash application security.

== Goals ==

The OWASP Flash Security Project aims to share guidelines, tools and resources for securing Flash applications.

 

== Table of Contents ==

{| cellspacing="1" cellpadding="1" border="0" style="width: 651px; height: 66px;"
|-
| '''Research'''
| '''References'''
| '''Tools'''
| '''Libraries'''
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Videos Videos]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#References References]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#OWASP_Tools OWASP Tools]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Third-party_Security_Libraries 3rd Party Libs]
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#White_Papers_.2F_Presentations White Papers/Presentations]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Useful_Specifications Specifications]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Static_Analysis Static Analysis]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Articles Articles]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Disassemblers Disassemblers]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Example_Vulnerabilities Example Vulnerabilities]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Decompilers Decompilers]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Obfuscators Obfuscators]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Local_Shared_Object_Editors LSO Editors]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#AMF_Tools AMF Tools]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Analysis Analysis/Defense]
|
|}

 

== Videos ==

* [http://tv.adobe.com/show/how-to-develop-secure-flash-platform-apps/ How to Develop Secure Flash Platform Apps] An Adobe TV series discussing how to author and test secure Flash applications. The presentations cover common vulnerabilities in SWF content and how to avoid them. Each video is about 5-10 minutes long and is by Peleus Uhley.

* [http://tv.adobe.com/watch/max-2010-develop/creating-secure-actionscript-applications/ Creating Secure ActionScript Applications] An hour long video targeted at developers and QEs on creating secure Flash applications from Adobe MAX 2010. Adobe MAX is Adobe's developer conference. The talk is by Peleus Uhley.

* [http://vimeo.com/15506137 Assessing, Testing & Validating Flash Content] A 45 minute talk from OWASP AppSec USA 2010 on how to assess and test Flash applications. The talk is by Peleus Uhley.

* [http://tv.adobe.com/#vi+f15384v1102 Understanding the Flash Player Security Model] Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of Flash Player's security model. Approximately 1 hour long.

* [http://h30431.www3.hp.com/index.jsp?fr_story=3a98c704f7ef61299c19ef1f648f1acb1a5aeab8&rf=bm Billy Wins A Cheeseburger] A video by HP that explains a basic Flash vulnerability that can be found by decompilers. Approximately 3 minutes long.

* [http://securitytube.net/Hacking-Flash-Applications-for-Fun-and-Profit-(Blackhat)-video.aspx Blinded by Flash: Widespread Security Risks Flash Developers Don't See] Prajakta Jagdale describes the attack surface flash applications have based on various things developers overlook. In this presentation she talks about the basic cross domain security model between flash applets, Cross Site Scripting attacks on Flash applications, Data injection attacks, Flash malware, decompilation of Flash swf files, code and binary obfuscation and many other attack vectors which a malicious attacker could use to hack Flash applications. Approximately 1 hour long.

* [https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Jon%20Rose%20-%20Deblaze%20A%20Remote%20Method%20Enumeration%20Tool%20for%20Flex%20Servers%20-%20Video%20and%20Slides.m4v Deblaze - A Remote Method Enumeration Tool for Flex Servers] This is an excellent 20 minute presentation from DefCon 17 by Jon Rose on how to test AMF services using the deBlaze tool that he authored.

* [http://technet.microsoft.com/en-us/security/ee460903.aspx#ria RIA Security: Real-World Lessons from Flash and Silverlight] Jesse Collins from Microsoft's Silverlight team and Peleus Uhley from Adobe's Flash team discuss common threats to RIA applications. Approximately 1 hour long.

 

== White Papers / Presentations ==

'''Flash'''

* '''Flash Parameter Injection''' [http://blog.watchfire.com/FPI.pdf pdf], IBM Rational Application Security Team, [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference OWASP AppSec 2008], 24th September 2008, NYC, NY (USA)

* '''Testing Flash Applications using WebScarab''' [https://www.owasp.org/images/5/58/Testing_Flash_Applications.pdf pdf], Martin Clausen - Deloitte [http://www.owasp.org/index.php/Denmark Denmark Chapter Meeting], March 12, 2008, Denmark

* '''Testing Flash Applications''' [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda Owasp Appsec 2007], 17th May 2007, Milan (Italy).

* '''Testing and Exploiting Flash Applications''' [http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf pdf], Fukami, Chaos Computer Camp, 2007

* '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose, CA (USA)

* '''Neat, New, and Ridiculous Flash Hacks''' - whitepaper: [http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-wp.pdf pdf], presentation:[http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-slides.pdf pdf], Mike Bailey, Black Hat DC 2010, Washington, DC (USA)

 '''AMF'''

* '''Pentesting Adobe Flex Applications''' - [http://www.gdssecurity.com/l/OWASP_NYNJMetro_Pentesting_Flex.pdf pdf], Marcin Wielgoszewski, April 2010 OWASP NYC Chapter Meeting, NYC, NY (USA)

* '''DeBlaze: A remote enumeration tool for Flex servers''' [http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-jon_rose-deblaze.pdf pdf], Jon Rose, [http://www.defcon.org/html/links/dc-archives/dc-17-archive.html#Rose DefCon 17], 31 July 2009, Las Vegas, NV (USA)

 '''University Research'''

* '''ActionScript bytecode verification with co-logic programming''' [http://portal.acm.org/citation.cfm?id=1554339.1554342 pdf], Brian W. DeVries, Gopal Gupta, Kevin W. Hamlen, Scott Moore, and Meera Sridhar of The University of Texas at Dallas, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security 2009.

* '''Creating a more sophisticated security platform for Flash, AIR and others''' [http://www.utdallas.edu/~mxs072100/Adobe.ppt ppt] Presented at Adobe Systems, Inc. by Meera Sridhar, November, 2009

* '''ActionScript In-Lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl.pdf pdf], Meera Sridhar and Kevin W. Hamlen of The University of Texas at Dallas, Proceedings of the Twelfth Symposium on Practical Aspects of Declarative Languages (PADL), Jan 2010.

* '''ActionScript In-lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl10.pptx pptx] Presented at PADL 2010, Madrid, Spain by Meera Sridhar.

 

== Articles ==

'''Development'''
* [http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Creating more secure SWF web applications] This Adobe Developer Center article discusses secure ActionScript programming practices.

* [http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html Cross-domain policy file usage recommendations for Flash Player] This Adobe Developer Center article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server.

* [http://www.insideria.com/2010/03/flash-player-10-security-model.html Flash Player 10 Security Model: Stakeholders and Sandboxes] This is an article that condenses the official Flash Player Security Model down to a one page article discussing the stakeholders and sandboxes.

* [http://theflashblog.com/?p=419 AMFPHP Security Basics] This a blog covering how to secure AMFPHP version 1.9 and higher. AMFPHP is server-side code that receives AMF requests from Flash clients.

* [http://blogs.adobe.com/asset/2009/11/securely_deploying_cross-domai.html Securely Deploying Cross-Domain Policy files] This Adobe ASSET blog provides 5 tips for securely deploying cross-domain policy files.

* [http://askmeflash.com/article/16/securing-your-flash-application Securing your Flash Application] A quick ten item checklist of high level things to look for in your SWF before shipping.

* [http://www.senocular.com/flash/tutorials/contentdomains/ Security Domains, Application Domains, and More in ActionScript 3.0] A fairly in depth article by Senocular.com explaining security domains, application domains, cross-domain policy files, allowDomain() and more.

'''Penetration Testing'''
* [http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/ A Lazy Pen Tester’s Guide to Testing Flash Applications] A short blog describing some of the basic steps of testing Flash applications by iViZ.

* [http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/ Penetrating Intranets through Adobe Flex Applications] A short blog (03/17/2010) by Marcin Wielgoszewski of Gothan Digital Science introducing the [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] tool and how to take advantage of open BlazeDS proxies.

* [http://www.gdssecurity.com/l/b/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client/ Pentesting Adobe Flex Applications with a Custom AMF Client] A short blog (11/11/2009) by Marcin Wielgoszewski of Gothan Digital Science on how to write custom pyAMF-based clients for testing Flex services.

* [http://erlend.oftedal.no/blog/?blogid=103 Client-side Remote File Inclusion in Flash] This blog discusses how to perform cross-site scripting attacks against applications that read in XML configuration files.

* [http://code.google.com/p/doctype/wiki/ArticleFlashSecurity Flash Security] A Google code article on different types of cross-site scripting and crossdomain.xml attacks.

'''Updates to the Flash Player Security Model'''
* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10.1_air2_security_changes.html Understanding the security changes in Flash Player 10.1 and AIR 2] - This Adobe Developer Center article describes the new changes that affect security in Flash Player 10.1 and AIR. This article discusses a new feature, LoaderContext.allowCodeImport, which can help in safely loading remote content via loadBytes(). It also discusses minor changes in behavior that may require action by the developer.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html Understanding the security changes in Flash Player 10] - This Adobe Developer Center article describes the new changes that affect security in the Flash Player 10. This includes information on changes to socket timing, policy file strictness, upload and download, RTMFP and full screen mode.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_uia_requirements.html User-initiated action requirements in Flash Player 10] - This Adobe Developer Center article describes the new user-initiated action requires in Flash Player 10. These requirements include chances to FileReference, Clipboard, full-screen mode and pop-up windows.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html Preparing for the Flash Player 9 April 2008 Security Update] - This Adobe Developer Center article describes the new mitigations for DNS Rebinding (socket policy files), cross-site flashing and the introduction of cross-domain header meta-policies to help address attacks such as the UPnP attack.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html Security Changes in Flash Player 9] This Adobe Developer Center article describes the important changes that need to be made to existing crossdomain.xml and socket policy files. All websites that use cross-domain or socket policy files will need to implement these changes in order to be compatible with Adobe's new format. After the implementation of Phase II, Adobe will no longer support the old format.

 

== Example Vulnerabilities ==

''The intent of this section is to provide real-world examples of exploitation. This can be useful for consultants to help demonstrate to clients that these techniques have been used in the wild. In some instances, these examples include individual SWFs that were copied to hundreds of web sites. Therefore, a consultant should look for these specific SWFs on a website when performing an assessment to ensure that they have a current version.''

* [http://web.appsec.ws/FlashExploitDatabase.php Flash Exploit Database] This contains a list of popular, shared SWFs that have cross-site scripting vulnerabilities.

* [http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html Cross-site Scripting through Flash in Gmail Based Services] - This is an example of a cross-site scripting vulnerability that was the result of passing tainted data to ExternalInterface.call.

* [http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw XSS Vulnerabilities in Common Flash Files] - This paper by Rich Cannings shows sample attack URLs for individual SWFs that are hosted across hundreds of websites. The techniques demonstrated in this paper for achieving cross-site scripting including using javascript: URLs, asfunction: URLs, and loading malicious child SWFs (aka cross-site Flashing).

* [http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004514.html clickTAG Cross-site scripting] - It is very common for Flash-based advertisements to accept a FlashVar called, clickTAG. If the clickTAG FlashVar is passed directly to a browser navigation API, such as getURL, then the attacker can achieve cross-site scripting by changing the clickTAG URL to a javascript: URL. Cross-site scripting as the result of a manipulated clickTAG FlashVar is the most common manifestation of cross-site scripting in Flash content.

* [http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html I used to know what you watched on YouTube] - Jeremiah Grossman's blog post regarding his attack on youTube.com's "*.google.com" cross-domain permission.

 

== References ==

* [http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004) OWASP Testing Guide: Testing for cross-site flashing] - Covers finding both cross-site scripting and cross-site flashing.

* [http://www.adobe.com/devnet/flashplayer/security.html Adobe Flash Player Developer Center Security section] - Where Adobe posts articles and information related to Flash Player security.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html Adobe Flash Player 10 Security Model]

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf Adobe Flash Player 9 Security Model]

* [http://www.adobe.com/support/security/ Adobe Security Bulletins and Advisories] This is where Adobe posts all of their security advisories and bulletins.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7f9b.html Applying Flex Security] The security chapter from the Adobe Flex 4 manual.

* [http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9b90204-7d23.html Flash Player Security] The security chapter from the Programming ActionScript 3.0 section the Flash CS4 Documentation.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7d14.html Developing and Loading Sub-applications] This Flex SDK framework allows two or more untrusted SWFs to pass limited information between each other through the use of Shared Events.

 
== Useful Specifications ==

* [http://www.adobe.com/devnet/swf/ SWF File Format Specification] This documents the file format and structure of SWF files.

* [http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf AVM2 Specification] Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf3_spec_05_05_08.pdf AMF3 Specification] The specification for version 3 of AMF used by Flash Player.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf0_spec_121207.pdf?version=1 AMF0 Specification] The specification for the first generation of AMF (AMF 0) used by Flash Player.

* [http://www.adobe.com/devnet/rtmp/ RTMP Specification] This is the specification for the Real Time Messaging Protocol used by SWF content

* [http://www.adobe.com/devnet/flv/ Video File Format Specification] The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.

* [http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html Cross-domain Policy File Specification] This document serves as a reference for the structure and use of cross-domain policy files.

* [http://www.mozilla.org/projects/tamarin/ Tamarin Open Source Project] The Tamarin virtual machine is used within the Adobe Flash Player and is also being adopted for use by projects outside Adobe. The Tamarin just-in-time compiler (the "NanoJIT") is a collaboratively developed component used by both Tamarin and Mozilla TraceMonkey.

 

== Third-party Security Libraries ==

* [http://crypto.hurlant.com/ AS3Crypto] - An ActionScript 3.0 cryptography library.

* [http://code.google.com/p/as3corelib/ as3corelib] - An Adobe sponsored Google Code project that contains ActionScript 3.0 implementations of WS-Security, SHA, MD5 and other utilities.

* [http://labs.adobe.com/wiki/index.php/Alchemy:Libraries Alchemy ActionScript 3 Crypto Wrapper] - An Adobe labs project to port OpenSSL to ActionScript using Alchemy (previously known as Flacc). Includes the SHA1, SHA2, MD5, PKCS12 and AES from OpenSSL.

* [http://code.google.com/p/flash-validators/ flash-validators] - An Adobe sponsored Google Code project that contains ActionScript 2.0 and ActionScript 3.0 data validation libraries.

* [http://bugs.adobe.com/jira/browse/BLZ-415 Protected Messaging Adaptor] - This addition to the latest version of BlazeDS protects against an attack that allows an untrusted individual to subscribe to wildcard sub-topics. This threat is described within this [http://www.jamesward.com/blog/2009/07/22/protected-messaging-in-flex-with-blazeds-and-lcds/ blog] by James Ward.

* [http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/mx/validators/package-detail.html Flex validators] - Validation routines contained within the Adobe Flex SDK.

 

== OWASP Tools ==

* [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder] OWASP Flash security testing tool

 
== Static Analysis ==

* [http://opensource.adobe.com/wiki/display/flexpmd/FlexPMD FlexPMD] Performs general code analysis with a few security checks.

* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Fortify Static Code Analyzer] '''($)''' Fortify's SCA supports searching for vulnerabilities within ActionScript 3.0, Flex 3 and Flex 4 applications.

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/ FlashDiggity] FlashDiggity is part of the SearchDiggity tool created by the Stach & Liu consulting firm. It will decompile the SWF and use regular expressions to search for strings that are security related.

* [http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167 SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

 

== Disassemblers ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] An Adobe Labs project that performs disassembly of ActionScript 2 and ActionScript 3. Also shows SWF Tag information.

* [http://flasm.sourceforge.net/ Flasm] Flasm provides both disassembly and assembly functionality.

* [http://www.docsultant.com/nemo440/ Nemo440] Nemo440 is an AIR based ActionScript 3.0 disassembler.

* [http://opensource.adobe.com/svn/opensource/flex/sdk/trunk/bin/ swfdump] The Adobe Flex SDK, when built with ant, creates the swfdump utility ([http://blogs.adobe.com/gosmith/2008/02/disassembling_a_swf_with_swfdu_1.html overview]).

* [http://code.google.com/p/erlswf/ ErlSWF] A SWF disassembly tool based authored in Erlang

* [http://www.masonchang.com/2008/06/building-abcdump.html abcdump] The abcdump tool can be built from the tamarin source tree to disassemble AS3 byte code.

* [http://www.sweetscape.com/010editor/ 010Editor] This commercial tool has a [http://www.sweetscape.com/010editor/templates/files/SWFTemplate.bt template] for analyzing AS2 byte code.

* [http://segfaultlabs.com/swfutils swfutils] An ActionScript 3 library for disassembling SWF files.

* [https://github.com/CyberShadow/RABCDAsm#readme RABCDAsm] RABCDAsm is a collection of utilities including an ActionScript 3 assembler/disassembler, and a few tools to manipulate SWF files.

* [http://yogda.com/ Yogda AVM2 Workbench] Yogda® is a development tool for intermediate/advanced actionscript programmers. It includes an AVM2 disassembler.

 

== Decompilers ==

* [http://www.flash-decompiler.com/ Flash Decompiler Trillix] '''($):''' Windows and Mac versions. Supports ActionScript 2.0 and ActionScript 3.0, Flash 5, 6, 7, 8, 9, 10, Flash CS5 and Flex. Able to extract resources,edit SWF elements and provide a source FLA file. Costs @ $80 plus tax/shipping.

* [https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

* [http://www.nowrap.de/flare.html Flare] Flare ActionScript 2.0 decompiler for Windows, Linux and Mac OS X.

* [http://www.buraks.com/asv/ Buraks ActionScript Viewer] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.sothink.com/product/flashdecompiler/ SoThink Flash Decompiler] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.dcomsoft.com/download/dfdinstall.exe Dump Flash Decompiler] Freeware program that treats compressed and decompressed SWF-files and shows the detailed structure in the tree form. Windows.

 

== Obfuscators ==

It should be noted that no obfuscator can protect a SWF from being reverse engineered. An attacker will always be able to extract data from SWFs if they believe it is worth the effort. Obfuscators are only serve as a deterrent for preventing casual inspection of the SWF.

It should also be noted that some obfuscators generate SWFs that do not conform to the Adobe SWF file format specification. Flash Player may still be able to play them but they do not conform to the spec. This could lead to some security tools such as Blitzablieter rejecting them as potentially malicious.

*[http://www.dcomsoft.com/ DComSoft SWF Protector] '''($):''' ActionScript 2.0/3.0 obfuscator for protecting your SWF files from Flash Decompilers. Available for Windows, Mac OS, Linux. Costs approximately $40.

 

== Local Shared Object Editors ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Cross-platform tool for viewing and editing LSOs.

* [http://blog.coursevector.com/flashbug Flashbug] An extension for the Firefox Firebug plugin.

* [http://solve.sourceforge.net/ SolVE] Cross-platform Local Shared Object editor and viewer.

* [http://sourceforge.net/projects/soleditor/ .sol Editor] Windows based Local Shared Object editor

 

== AMF Tools ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Allows sending of custom messages, simple fuzzing and service identification of AMF endpoints.

* [http://blog.coursevector.com/flashbug Flashbug] An extension for the Firefox Firebug plugin that allows you to view AMF data sent to and from the page to the server.

* [http://deblaze-tool.appspot.com/ DeBlaze] A free tool that attempts to identify AMF services through brute force, dictionary attacks.

* [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. Blazentoo provides the ability to seamlessly browse web content, abusing insecurely configured Proxy Services.

* [http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Full AMF support is currently checked into the main branch of the WebScarab project. It has not been rolled into the SourceForge or Java Web Start versions of the WebScarab project at the time of this writing.

* [http://code.google.com/p/webscarab-amf-plugin/ WebScarab AMF Plugin] This is a google code project to add AMF support as a plugin to WebScarab.

* [http://amfparser.codeplex.com/ AMF Parser] AMFParser plugin for Fiddler2 web debugger. It can be used for parsing and displaying AMF data inside HTTP's POST requests and responses.

* [http://code.google.com/p/pinta/ pinta] Pinta is a utility that allows a developer to test services by making custom AMF service calls, and viewing detailed output. This Google Code project is based on Adobe AIR.

* [http://www.charlesproxy.com/ Charles Proxy] '''($):''' This is a basic HTTP proxy but it provides support for interpreting AMF communications. Costs approximately $50.

* [http://releases.portswigger.net/2009/08/v1214.html Burp Suite Professional] '''($):''' The 1.2.124 version of Burp Suite Pro adds AMF support to all tools except for Burp Intruder and Burp Scanner is updated to automatically place attack payloads within string-based AMF values.

* [http://george.hedfors.com/content/action-message-format-amf-shell AMF Shell] AMF Shell is a command line utility based on Python that enumerates services and allows the user to send customized AMF messages to a server.

 

== Analysis ==

* [http://www.utdallas.edu/~mxs072100/ASIRM_project.html Certifying IRM for ActionScript Bytecode] This page contains the binaries for Meera Sridhar's research into using In-lined Reference Monitors to rewrite ActionScript bytecode for the purposes of policy enforcement. This project is currently targeted at AVM2 code.

* [http://blitzableiter.recurity.com/ Blitzablieter] Blitzablieter is a project currently run by Recurity Labs and the German government. The goal is to prevent malicious SWFs from entering a network through normalization and policy enforcement. This project currently handles AVM1 code.

* [http://wepawet.iseclab.org/ Wepawet] Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. It is currently run by University of California, Santa Barbara.

* [https://github.com/sporst/SWFREtools/ SWFRETools] The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.

 

== Project Contributors ==

The Flash Security project is run by [[:User:Puhley|Peleus Uhley]].

== Project Sponsors ==

The Flash Security project is sponsored by [http://www.mindedsecurity.com [[Image:|MindedLogo.PNG]]]

==== Project Identification ====

{{Template:Project Details/OWASP_Flash_Security_Project | OWASP Project Identification Tab}}

__NOTOC__ <headertabs />

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Flash Security Project]] [[Category:OWASP_Download]] [[Category:OWASP_Tool]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]

Category:OWASP Flash Security Project

2012-03-26T22:40:19Z

Puhley: /* Local Shared Object Editors */

==== Main ====

== Overview ==

The OWASP Flash Security Project is an open project for sharing knowledge in order to raise awareness of Flash application security.

== Goals ==

The OWASP Flash Security Project aims to share guidelines, tools and resources for securing Flash applications.

 

== Table of Contents ==

{| cellspacing="1" cellpadding="1" border="0" style="width: 651px; height: 66px;"
|-
| '''Research'''
| '''References'''
| '''Tools'''
| '''Libraries'''
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Videos Videos]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#References References]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#OWASP_Tools OWASP Tools]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Third-party_Security_Libraries 3rd Party Libs]
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#White_Papers_.2F_Presentations White Papers/Presentations]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Useful_Specifications Specifications]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Static_Analysis Static Analysis]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Articles Articles]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Disassemblers Disassemblers]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Example_Vulnerabilities Example Vulnerabilities]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Decompilers Decompilers]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Obfuscators Obfuscators]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Local_Shared_Object_Editors LSO Editors]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#AMF_Tools AMF Tools]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Analysis Analysis/Defense]
|
|}

 

== Videos ==

* [http://tv.adobe.com/show/how-to-develop-secure-flash-platform-apps/ How to Develop Secure Flash Platform Apps] An Adobe TV series discussing how to author and test secure Flash applications. The presentations cover common vulnerabilities in SWF content and how to avoid them. Each video is about 5-10 minutes long and is by Peleus Uhley.

* [http://tv.adobe.com/watch/max-2010-develop/creating-secure-actionscript-applications/ Creating Secure ActionScript Applications] An hour long video targeted at developers and QEs on creating secure Flash applications from Adobe MAX 2010. Adobe MAX is Adobe's developer conference. The talk is by Peleus Uhley.

* [http://vimeo.com/15506137 Assessing, Testing & Validating Flash Content] A 45 minute talk from OWASP AppSec USA 2010 on how to assess and test Flash applications. The talk is by Peleus Uhley.

* [http://tv.adobe.com/#vi+f15384v1102 Understanding the Flash Player Security Model] Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of Flash Player's security model. Approximately 1 hour long.

* [http://h30431.www3.hp.com/index.jsp?fr_story=3a98c704f7ef61299c19ef1f648f1acb1a5aeab8&rf=bm Billy Wins A Cheeseburger] A video by HP that explains a basic Flash vulnerability that can be found by decompilers. Approximately 3 minutes long.

* [http://securitytube.net/Hacking-Flash-Applications-for-Fun-and-Profit-(Blackhat)-video.aspx Blinded by Flash: Widespread Security Risks Flash Developers Don't See] Prajakta Jagdale describes the attack surface flash applications have based on various things developers overlook. In this presentation she talks about the basic cross domain security model between flash applets, Cross Site Scripting attacks on Flash applications, Data injection attacks, Flash malware, decompilation of Flash swf files, code and binary obfuscation and many other attack vectors which a malicious attacker could use to hack Flash applications. Approximately 1 hour long.

* [https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Jon%20Rose%20-%20Deblaze%20A%20Remote%20Method%20Enumeration%20Tool%20for%20Flex%20Servers%20-%20Video%20and%20Slides.m4v Deblaze - A Remote Method Enumeration Tool for Flex Servers] This is an excellent 20 minute presentation from DefCon 17 by Jon Rose on how to test AMF services using the deBlaze tool that he authored.

* [http://technet.microsoft.com/en-us/security/ee460903.aspx#ria RIA Security: Real-World Lessons from Flash and Silverlight] Jesse Collins from Microsoft's Silverlight team and Peleus Uhley from Adobe's Flash team discuss common threats to RIA applications. Approximately 1 hour long.

 

== White Papers / Presentations ==

'''Flash'''

* '''Flash Parameter Injection''' [http://blog.watchfire.com/FPI.pdf pdf], IBM Rational Application Security Team, [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference OWASP AppSec 2008], 24th September 2008, NYC, NY (USA)

* '''Testing Flash Applications using WebScarab''' [https://www.owasp.org/images/5/58/Testing_Flash_Applications.pdf pdf], Martin Clausen - Deloitte [http://www.owasp.org/index.php/Denmark Denmark Chapter Meeting], March 12, 2008, Denmark

* '''Testing Flash Applications''' [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda Owasp Appsec 2007], 17th May 2007, Milan (Italy).

* '''Testing and Exploiting Flash Applications''' [http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf pdf], Fukami, Chaos Computer Camp, 2007

* '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose, CA (USA)

* '''Neat, New, and Ridiculous Flash Hacks''' - whitepaper: [http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-wp.pdf pdf], presentation:[http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-slides.pdf pdf], Mike Bailey, Black Hat DC 2010, Washington, DC (USA)

 '''AMF'''

* '''Pentesting Adobe Flex Applications''' - [http://www.gdssecurity.com/l/OWASP_NYNJMetro_Pentesting_Flex.pdf pdf], Marcin Wielgoszewski, April 2010 OWASP NYC Chapter Meeting, NYC, NY (USA)

* '''DeBlaze: A remote enumeration tool for Flex servers''' [http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-jon_rose-deblaze.pdf pdf], Jon Rose, [http://www.defcon.org/html/links/dc-archives/dc-17-archive.html#Rose DefCon 17], 31 July 2009, Las Vegas, NV (USA)

 '''University Research'''

* '''ActionScript bytecode verification with co-logic programming''' [http://portal.acm.org/citation.cfm?id=1554339.1554342 pdf], Brian W. DeVries, Gopal Gupta, Kevin W. Hamlen, Scott Moore, and Meera Sridhar of The University of Texas at Dallas, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security 2009.

* '''Creating a more sophisticated security platform for Flash, AIR and others''' [http://www.utdallas.edu/~mxs072100/Adobe.ppt ppt] Presented at Adobe Systems, Inc. by Meera Sridhar, November, 2009

* '''ActionScript In-Lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl.pdf pdf], Meera Sridhar and Kevin W. Hamlen of The University of Texas at Dallas, Proceedings of the Twelfth Symposium on Practical Aspects of Declarative Languages (PADL), Jan 2010.

* '''ActionScript In-lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl10.pptx pptx] Presented at PADL 2010, Madrid, Spain by Meera Sridhar.

 

== Articles ==

'''Development'''
* [http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Creating more secure SWF web applications] This Adobe Developer Center article discusses secure ActionScript programming practices.

* [http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html Cross-domain policy file usage recommendations for Flash Player] This Adobe Developer Center article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server.

* [http://www.insideria.com/2010/03/flash-player-10-security-model.html Flash Player 10 Security Model: Stakeholders and Sandboxes] This is an article that condenses the official Flash Player Security Model down to a one page article discussing the stakeholders and sandboxes.

* [http://theflashblog.com/?p=419 AMFPHP Security Basics] This a blog covering how to secure AMFPHP version 1.9 and higher. AMFPHP is server-side code that receives AMF requests from Flash clients.

* [http://blogs.adobe.com/asset/2009/11/securely_deploying_cross-domai.html Securely Deploying Cross-Domain Policy files] This Adobe ASSET blog provides 5 tips for securely deploying cross-domain policy files.

* [http://askmeflash.com/article/16/securing-your-flash-application Securing your Flash Application] A quick ten item checklist of high level things to look for in your SWF before shipping.

* [http://www.senocular.com/flash/tutorials/contentdomains/ Security Domains, Application Domains, and More in ActionScript 3.0] A fairly in depth article by Senocular.com explaining security domains, application domains, cross-domain policy files, allowDomain() and more.

'''Penetration Testing'''
* [http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/ A Lazy Pen Tester’s Guide to Testing Flash Applications] A short blog describing some of the basic steps of testing Flash applications by iViZ.

* [http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/ Penetrating Intranets through Adobe Flex Applications] A short blog (03/17/2010) by Marcin Wielgoszewski of Gothan Digital Science introducing the [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] tool and how to take advantage of open BlazeDS proxies.

* [http://www.gdssecurity.com/l/b/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client/ Pentesting Adobe Flex Applications with a Custom AMF Client] A short blog (11/11/2009) by Marcin Wielgoszewski of Gothan Digital Science on how to write custom pyAMF-based clients for testing Flex services.

* [http://erlend.oftedal.no/blog/?blogid=103 Client-side Remote File Inclusion in Flash] This blog discusses how to perform cross-site scripting attacks against applications that read in XML configuration files.

* [http://code.google.com/p/doctype/wiki/ArticleFlashSecurity Flash Security] A Google code article on different types of cross-site scripting and crossdomain.xml attacks.

'''Updates to the Flash Player Security Model'''
* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10.1_air2_security_changes.html Understanding the security changes in Flash Player 10.1 and AIR 2] - This Adobe Developer Center article describes the new changes that affect security in Flash Player 10.1 and AIR. This article discusses a new feature, LoaderContext.allowCodeImport, which can help in safely loading remote content via loadBytes(). It also discusses minor changes in behavior that may require action by the developer.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html Understanding the security changes in Flash Player 10] - This Adobe Developer Center article describes the new changes that affect security in the Flash Player 10. This includes information on changes to socket timing, policy file strictness, upload and download, RTMFP and full screen mode.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_uia_requirements.html User-initiated action requirements in Flash Player 10] - This Adobe Developer Center article describes the new user-initiated action requires in Flash Player 10. These requirements include chances to FileReference, Clipboard, full-screen mode and pop-up windows.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html Preparing for the Flash Player 9 April 2008 Security Update] - This Adobe Developer Center article describes the new mitigations for DNS Rebinding (socket policy files), cross-site flashing and the introduction of cross-domain header meta-policies to help address attacks such as the UPnP attack.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html Security Changes in Flash Player 9] This Adobe Developer Center article describes the important changes that need to be made to existing crossdomain.xml and socket policy files. All websites that use cross-domain or socket policy files will need to implement these changes in order to be compatible with Adobe's new format. After the implementation of Phase II, Adobe will no longer support the old format.

 

== Example Vulnerabilities ==

''The intent of this section is to provide real-world examples of exploitation. This can be useful for consultants to help demonstrate to clients that these techniques have been used in the wild. In some instances, these examples include individual SWFs that were copied to hundreds of web sites. Therefore, a consultant should look for these specific SWFs on a website when performing an assessment to ensure that they have a current version.''

* [http://web.appsec.ws/FlashExploitDatabase.php Flash Exploit Database] This contains a list of popular, shared SWFs that have cross-site scripting vulnerabilities.

* [http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html Cross-site Scripting through Flash in Gmail Based Services] - This is an example of a cross-site scripting vulnerability that was the result of passing tainted data to ExternalInterface.call.

* [http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw XSS Vulnerabilities in Common Flash Files] - This paper by Rich Cannings shows sample attack URLs for individual SWFs that are hosted across hundreds of websites. The techniques demonstrated in this paper for achieving cross-site scripting including using javascript: URLs, asfunction: URLs, and loading malicious child SWFs (aka cross-site Flashing).

* [http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004514.html clickTAG Cross-site scripting] - It is very common for Flash-based advertisements to accept a FlashVar called, clickTAG. If the clickTAG FlashVar is passed directly to a browser navigation API, such as getURL, then the attacker can achieve cross-site scripting by changing the clickTAG URL to a javascript: URL. Cross-site scripting as the result of a manipulated clickTAG FlashVar is the most common manifestation of cross-site scripting in Flash content.

* [http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html I used to know what you watched on YouTube] - Jeremiah Grossman's blog post regarding his attack on youTube.com's "*.google.com" cross-domain permission.

 

== References ==

* [http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004) OWASP Testing Guide: Testing for cross-site flashing] - Covers finding both cross-site scripting and cross-site flashing.

* [http://www.adobe.com/devnet/flashplayer/security.html Adobe Flash Player Developer Center Security section] - Where Adobe posts articles and information related to Flash Player security.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html Adobe Flash Player 10 Security Model]

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf Adobe Flash Player 9 Security Model]

* [http://www.adobe.com/support/security/ Adobe Security Bulletins and Advisories] This is where Adobe posts all of their security advisories and bulletins.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7f9b.html Applying Flex Security] The security chapter from the Adobe Flex 4 manual.

* [http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9b90204-7d23.html Flash Player Security] The security chapter from the Programming ActionScript 3.0 section the Flash CS4 Documentation.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7d14.html Developing and Loading Sub-applications] This Flex SDK framework allows two or more untrusted SWFs to pass limited information between each other through the use of Shared Events.

 
== Useful Specifications ==

* [http://www.adobe.com/devnet/swf/ SWF File Format Specification] This documents the file format and structure of SWF files.

* [http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf AVM2 Specification] Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf3_spec_05_05_08.pdf AMF3 Specification] The specification for version 3 of AMF used by Flash Player.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf0_spec_121207.pdf?version=1 AMF0 Specification] The specification for the first generation of AMF (AMF 0) used by Flash Player.

* [http://www.adobe.com/devnet/rtmp/ RTMP Specification] This is the specification for the Real Time Messaging Protocol used by SWF content

* [http://www.adobe.com/devnet/flv/ Video File Format Specification] The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.

* [http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html Cross-domain Policy File Specification] This document serves as a reference for the structure and use of cross-domain policy files.

* [http://www.mozilla.org/projects/tamarin/ Tamarin Open Source Project] The Tamarin virtual machine is used within the Adobe Flash Player and is also being adopted for use by projects outside Adobe. The Tamarin just-in-time compiler (the "NanoJIT") is a collaboratively developed component used by both Tamarin and Mozilla TraceMonkey.

 

== Third-party Security Libraries ==

* [http://crypto.hurlant.com/ AS3Crypto] - An ActionScript 3.0 cryptography library.

* [http://code.google.com/p/as3corelib/ as3corelib] - An Adobe sponsored Google Code project that contains ActionScript 3.0 implementations of WS-Security, SHA, MD5 and other utilities.

* [http://labs.adobe.com/wiki/index.php/Alchemy:Libraries Alchemy ActionScript 3 Crypto Wrapper] - An Adobe labs project to port OpenSSL to ActionScript using Alchemy (previously known as Flacc). Includes the SHA1, SHA2, MD5, PKCS12 and AES from OpenSSL.

* [http://code.google.com/p/flash-validators/ flash-validators] - An Adobe sponsored Google Code project that contains ActionScript 2.0 and ActionScript 3.0 data validation libraries.

* [http://bugs.adobe.com/jira/browse/BLZ-415 Protected Messaging Adaptor] - This addition to the latest version of BlazeDS protects against an attack that allows an untrusted individual to subscribe to wildcard sub-topics. This threat is described within this [http://www.jamesward.com/blog/2009/07/22/protected-messaging-in-flex-with-blazeds-and-lcds/ blog] by James Ward.

* [http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/mx/validators/package-detail.html Flex validators] - Validation routines contained within the Adobe Flex SDK.

 

== OWASP Tools ==

* [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder] OWASP Flash security testing tool

 
== Static Analysis ==

* [http://opensource.adobe.com/wiki/display/flexpmd/FlexPMD FlexPMD] Performs general code analysis with a few security checks.

* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Fortify Static Code Analyzer] '''($)''' Fortify's SCA supports searching for vulnerabilities within ActionScript 3.0, Flex 3 and Flex 4 applications.

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/ FlashDiggity] FlashDiggity is part of the SearchDiggity tool created by the Stach & Liu consulting firm. It will decompile the SWF and use regular expressions to search for strings that are security related.

* [http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167 SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

 

== Disassemblers ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] An Adobe Labs project that performs disassembly of ActionScript 2 and ActionScript 3. Also shows SWF Tag information.

* [http://flasm.sourceforge.net/ Flasm] Flasm provides both disassembly and assembly functionality.

* [http://www.docsultant.com/nemo440/ Nemo440] Nemo440 is an AIR based ActionScript 3.0 disassembler.

* [http://opensource.adobe.com/svn/opensource/flex/sdk/trunk/bin/ swfdump] The Adobe Flex SDK, when built with ant, creates the swfdump utility ([http://blogs.adobe.com/gosmith/2008/02/disassembling_a_swf_with_swfdu_1.html overview]).

* [http://code.google.com/p/erlswf/ ErlSWF] A SWF disassembly tool based authored in Erlang

* [http://www.masonchang.com/2008/06/building-abcdump.html abcdump] The abcdump tool can be built from the tamarin source tree to disassemble AS3 byte code.

* [http://www.sweetscape.com/010editor/ 010Editor] This commercial tool has a [http://www.sweetscape.com/010editor/templates/files/SWFTemplate.bt template] for analyzing AS2 byte code.

* [http://segfaultlabs.com/swfutils swfutils] An ActionScript 3 library for disassembling SWF files.

* [https://github.com/CyberShadow/RABCDAsm#readme RABCDAsm] RABCDAsm is a collection of utilities including an ActionScript 3 assembler/disassembler, and a few tools to manipulate SWF files.

* [http://yogda.com/ Yogda AVM2 Workbench] Yogda® is a development tool for intermediate/advanced actionscript programmers. It includes an AVM2 disassembler.

 

== Decompilers ==

* [http://www.flash-decompiler.com/ Flash Decompiler Trillix] '''($):''' Windows and Mac versions. Supports ActionScript 2.0 and ActionScript 3.0, Flash 5, 6, 7, 8, 9, 10, Flash CS5 and Flex. Able to extract resources,edit SWF elements and provide a source FLA file. Costs @ $80 plus tax/shipping.

* [https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

* [http://www.nowrap.de/flare.html Flare] Flare ActionScript 2.0 decompiler for Windows, Linux and Mac OS X.

* [http://www.buraks.com/asv/ Buraks ActionScript Viewer] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.sothink.com/product/flashdecompiler/ SoThink Flash Decompiler] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.dcomsoft.com/download/dfdinstall.exe Dump Flash Decompiler] Freeware program that treats compressed and decompressed SWF-files and shows the detailed structure in the tree form. Windows.

 

== Obfuscators ==

It should be noted that no obfuscator can protect a SWF from being reverse engineered. An attacker will always be able to extract data from SWFs if they believe it is worth the effort. Obfuscators are only serve as a deterrent for preventing casual inspection of the SWF.

It should also be noted that some obfuscators generate SWFs that do not conform to the Adobe SWF file format specification. Flash Player may still be able to play them but they do not conform to the spec. This could lead to some security tools such as Blitzablieter rejecting them as potentially malicious.

*[http://www.dcomsoft.com/ DComSoft SWF Protector] '''($):''' ActionScript 2.0/3.0 obfuscator for protecting your SWF files from Flash Decompilers. Available for Windows, Mac OS, Linux. Costs approximately $40.

 

== Local Shared Object Editors ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Cross-platform tool for viewing and editing LSOs.

* [http://blog.coursevector.com/flashbug Flashbug] An extension for the Firefox Firebug plugin.

* [http://solve.sourceforge.net/ SolVE] Cross-platform Local Shared Object editor and viewer.

* [http://sourceforge.net/projects/soleditor/ .sol Editor] Windows based Local Shared Object editor

 

== AMF Tools ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Allows sending of custom messages, simple fuzzing and service identification of AMF endpoints.

* [http://deblaze-tool.appspot.com/ DeBlaze] A free tool that attempts to identify AMF services through brute force, dictionary attacks.

* [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. Blazentoo provides the ability to seamlessly browse web content, abusing insecurely configured Proxy Services.

* [http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Full AMF support is currently checked into the main branch of the WebScarab project. It has not been rolled into the SourceForge or Java Web Start versions of the WebScarab project at the time of this writing.

* [http://code.google.com/p/webscarab-amf-plugin/ WebScarab AMF Plugin] This is a google code project to add AMF support as a plugin to WebScarab.

* [http://amfparser.codeplex.com/ AMF Parser] AMFParser plugin for Fiddler2 web debugger. It can be used for parsing and displaying AMF data inside HTTP's POST requests and responses.

* [http://code.google.com/p/pinta/ pinta] Pinta is a utility that allows a developer to test services by making custom AMF service calls, and viewing detailed output. This Google Code project is based on Adobe AIR.

* [http://www.charlesproxy.com/ Charles Proxy] '''($):''' This is a basic HTTP proxy but it provides support for interpreting AMF communications. Costs approximately $50.

* [http://releases.portswigger.net/2009/08/v1214.html Burp Suite Professional] '''($):''' The 1.2.124 version of Burp Suite Pro adds AMF support to all tools except for Burp Intruder and Burp Scanner is updated to automatically place attack payloads within string-based AMF values.

* [http://george.hedfors.com/content/action-message-format-amf-shell AMF Shell] AMF Shell is a command line utility based on Python that enumerates services and allows the user to send customized AMF messages to a server.

 

== Analysis ==

* [http://www.utdallas.edu/~mxs072100/ASIRM_project.html Certifying IRM for ActionScript Bytecode] This page contains the binaries for Meera Sridhar's research into using In-lined Reference Monitors to rewrite ActionScript bytecode for the purposes of policy enforcement. This project is currently targeted at AVM2 code.

* [http://blitzableiter.recurity.com/ Blitzablieter] Blitzablieter is a project currently run by Recurity Labs and the German government. The goal is to prevent malicious SWFs from entering a network through normalization and policy enforcement. This project currently handles AVM1 code.

* [http://wepawet.iseclab.org/ Wepawet] Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. It is currently run by University of California, Santa Barbara.

* [https://github.com/sporst/SWFREtools/ SWFRETools] The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.

 

== Project Contributors ==

The Flash Security project is run by [[:User:Puhley|Peleus Uhley]].

== Project Sponsors ==

The Flash Security project is sponsored by [http://www.mindedsecurity.com [[Image:|MindedLogo.PNG]]]

==== Project Identification ====

{{Template:Project Details/OWASP_Flash_Security_Project | OWASP Project Identification Tab}}

__NOTOC__ <headertabs />

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Flash Security Project]] [[Category:OWASP_Download]] [[Category:OWASP_Tool]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]

Category:OWASP Flash Security Project

2012-03-06T16:24:32Z

Puhley: /* Example Vulnerabilities */

==== Main ====

== Overview ==

The OWASP Flash Security Project is an open project for sharing knowledge in order to raise awareness of Flash application security.

== Goals ==

The OWASP Flash Security Project aims to share guidelines, tools and resources for securing Flash applications.

 

== Table of Contents ==

{| cellspacing="1" cellpadding="1" border="0" style="width: 651px; height: 66px;"
|-
| '''Research'''
| '''References'''
| '''Tools'''
| '''Libraries'''
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Videos Videos]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#References References]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#OWASP_Tools OWASP Tools]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Third-party_Security_Libraries 3rd Party Libs]
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#White_Papers_.2F_Presentations White Papers/Presentations]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Useful_Specifications Specifications]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Static_Analysis Static Analysis]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Articles Articles]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Disassemblers Disassemblers]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Example_Vulnerabilities Example Vulnerabilities]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Decompilers Decompilers]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Obfuscators Obfuscators]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Local_Shared_Object_Editors LSO Editors]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#AMF_Tools AMF Tools]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Analysis Analysis/Defense]
|
|}

 

== Videos ==

* [http://tv.adobe.com/show/how-to-develop-secure-flash-platform-apps/ How to Develop Secure Flash Platform Apps] An Adobe TV series discussing how to author and test secure Flash applications. The presentations cover common vulnerabilities in SWF content and how to avoid them. Each video is about 5-10 minutes long and is by Peleus Uhley.

* [http://tv.adobe.com/watch/max-2010-develop/creating-secure-actionscript-applications/ Creating Secure ActionScript Applications] An hour long video targeted at developers and QEs on creating secure Flash applications from Adobe MAX 2010. Adobe MAX is Adobe's developer conference. The talk is by Peleus Uhley.

* [http://vimeo.com/15506137 Assessing, Testing & Validating Flash Content] A 45 minute talk from OWASP AppSec USA 2010 on how to assess and test Flash applications. The talk is by Peleus Uhley.

* [http://tv.adobe.com/#vi+f15384v1102 Understanding the Flash Player Security Model] Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of Flash Player's security model. Approximately 1 hour long.

* [http://h30431.www3.hp.com/index.jsp?fr_story=3a98c704f7ef61299c19ef1f648f1acb1a5aeab8&rf=bm Billy Wins A Cheeseburger] A video by HP that explains a basic Flash vulnerability that can be found by decompilers. Approximately 3 minutes long.

* [http://securitytube.net/Hacking-Flash-Applications-for-Fun-and-Profit-(Blackhat)-video.aspx Blinded by Flash: Widespread Security Risks Flash Developers Don't See] Prajakta Jagdale describes the attack surface flash applications have based on various things developers overlook. In this presentation she talks about the basic cross domain security model between flash applets, Cross Site Scripting attacks on Flash applications, Data injection attacks, Flash malware, decompilation of Flash swf files, code and binary obfuscation and many other attack vectors which a malicious attacker could use to hack Flash applications. Approximately 1 hour long.

* [https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Jon%20Rose%20-%20Deblaze%20A%20Remote%20Method%20Enumeration%20Tool%20for%20Flex%20Servers%20-%20Video%20and%20Slides.m4v Deblaze - A Remote Method Enumeration Tool for Flex Servers] This is an excellent 20 minute presentation from DefCon 17 by Jon Rose on how to test AMF services using the deBlaze tool that he authored.

* [http://technet.microsoft.com/en-us/security/ee460903.aspx#ria RIA Security: Real-World Lessons from Flash and Silverlight] Jesse Collins from Microsoft's Silverlight team and Peleus Uhley from Adobe's Flash team discuss common threats to RIA applications. Approximately 1 hour long.

 

== White Papers / Presentations ==

'''Flash'''

* '''Flash Parameter Injection''' [http://blog.watchfire.com/FPI.pdf pdf], IBM Rational Application Security Team, [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference OWASP AppSec 2008], 24th September 2008, NYC, NY (USA)

* '''Testing Flash Applications using WebScarab''' [https://www.owasp.org/images/5/58/Testing_Flash_Applications.pdf pdf], Martin Clausen - Deloitte [http://www.owasp.org/index.php/Denmark Denmark Chapter Meeting], March 12, 2008, Denmark

* '''Testing Flash Applications''' [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda Owasp Appsec 2007], 17th May 2007, Milan (Italy).

* '''Testing and Exploiting Flash Applications''' [http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf pdf], Fukami, Chaos Computer Camp, 2007

* '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose, CA (USA)

* '''Neat, New, and Ridiculous Flash Hacks''' - whitepaper: [http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-wp.pdf pdf], presentation:[http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-slides.pdf pdf], Mike Bailey, Black Hat DC 2010, Washington, DC (USA)

 '''AMF'''

* '''Pentesting Adobe Flex Applications''' - [http://www.gdssecurity.com/l/OWASP_NYNJMetro_Pentesting_Flex.pdf pdf], Marcin Wielgoszewski, April 2010 OWASP NYC Chapter Meeting, NYC, NY (USA)

* '''DeBlaze: A remote enumeration tool for Flex servers''' [http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-jon_rose-deblaze.pdf pdf], Jon Rose, [http://www.defcon.org/html/links/dc-archives/dc-17-archive.html#Rose DefCon 17], 31 July 2009, Las Vegas, NV (USA)

 '''University Research'''

* '''ActionScript bytecode verification with co-logic programming''' [http://portal.acm.org/citation.cfm?id=1554339.1554342 pdf], Brian W. DeVries, Gopal Gupta, Kevin W. Hamlen, Scott Moore, and Meera Sridhar of The University of Texas at Dallas, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security 2009.

* '''Creating a more sophisticated security platform for Flash, AIR and others''' [http://www.utdallas.edu/~mxs072100/Adobe.ppt ppt] Presented at Adobe Systems, Inc. by Meera Sridhar, November, 2009

* '''ActionScript In-Lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl.pdf pdf], Meera Sridhar and Kevin W. Hamlen of The University of Texas at Dallas, Proceedings of the Twelfth Symposium on Practical Aspects of Declarative Languages (PADL), Jan 2010.

* '''ActionScript In-lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl10.pptx pptx] Presented at PADL 2010, Madrid, Spain by Meera Sridhar.

 

== Articles ==

'''Development'''
* [http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Creating more secure SWF web applications] This Adobe Developer Center article discusses secure ActionScript programming practices.

* [http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html Cross-domain policy file usage recommendations for Flash Player] This Adobe Developer Center article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server.

* [http://www.insideria.com/2010/03/flash-player-10-security-model.html Flash Player 10 Security Model: Stakeholders and Sandboxes] This is an article that condenses the official Flash Player Security Model down to a one page article discussing the stakeholders and sandboxes.

* [http://theflashblog.com/?p=419 AMFPHP Security Basics] This a blog covering how to secure AMFPHP version 1.9 and higher. AMFPHP is server-side code that receives AMF requests from Flash clients.

* [http://blogs.adobe.com/asset/2009/11/securely_deploying_cross-domai.html Securely Deploying Cross-Domain Policy files] This Adobe ASSET blog provides 5 tips for securely deploying cross-domain policy files.

* [http://askmeflash.com/article/16/securing-your-flash-application Securing your Flash Application] A quick ten item checklist of high level things to look for in your SWF before shipping.

* [http://www.senocular.com/flash/tutorials/contentdomains/ Security Domains, Application Domains, and More in ActionScript 3.0] A fairly in depth article by Senocular.com explaining security domains, application domains, cross-domain policy files, allowDomain() and more.

'''Penetration Testing'''
* [http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/ A Lazy Pen Tester’s Guide to Testing Flash Applications] A short blog describing some of the basic steps of testing Flash applications by iViZ.

* [http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/ Penetrating Intranets through Adobe Flex Applications] A short blog (03/17/2010) by Marcin Wielgoszewski of Gothan Digital Science introducing the [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] tool and how to take advantage of open BlazeDS proxies.

* [http://www.gdssecurity.com/l/b/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client/ Pentesting Adobe Flex Applications with a Custom AMF Client] A short blog (11/11/2009) by Marcin Wielgoszewski of Gothan Digital Science on how to write custom pyAMF-based clients for testing Flex services.

* [http://erlend.oftedal.no/blog/?blogid=103 Client-side Remote File Inclusion in Flash] This blog discusses how to perform cross-site scripting attacks against applications that read in XML configuration files.

* [http://code.google.com/p/doctype/wiki/ArticleFlashSecurity Flash Security] A Google code article on different types of cross-site scripting and crossdomain.xml attacks.

'''Updates to the Flash Player Security Model'''
* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10.1_air2_security_changes.html Understanding the security changes in Flash Player 10.1 and AIR 2] - This Adobe Developer Center article describes the new changes that affect security in Flash Player 10.1 and AIR. This article discusses a new feature, LoaderContext.allowCodeImport, which can help in safely loading remote content via loadBytes(). It also discusses minor changes in behavior that may require action by the developer.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html Understanding the security changes in Flash Player 10] - This Adobe Developer Center article describes the new changes that affect security in the Flash Player 10. This includes information on changes to socket timing, policy file strictness, upload and download, RTMFP and full screen mode.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_uia_requirements.html User-initiated action requirements in Flash Player 10] - This Adobe Developer Center article describes the new user-initiated action requires in Flash Player 10. These requirements include chances to FileReference, Clipboard, full-screen mode and pop-up windows.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html Preparing for the Flash Player 9 April 2008 Security Update] - This Adobe Developer Center article describes the new mitigations for DNS Rebinding (socket policy files), cross-site flashing and the introduction of cross-domain header meta-policies to help address attacks such as the UPnP attack.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html Security Changes in Flash Player 9] This Adobe Developer Center article describes the important changes that need to be made to existing crossdomain.xml and socket policy files. All websites that use cross-domain or socket policy files will need to implement these changes in order to be compatible with Adobe's new format. After the implementation of Phase II, Adobe will no longer support the old format.

 

== Example Vulnerabilities ==

''The intent of this section is to provide real-world examples of exploitation. This can be useful for consultants to help demonstrate to clients that these techniques have been used in the wild. In some instances, these examples include individual SWFs that were copied to hundreds of web sites. Therefore, a consultant should look for these specific SWFs on a website when performing an assessment to ensure that they have a current version.''

* [http://web.appsec.ws/FlashExploitDatabase.php Flash Exploit Database] This contains a list of popular, shared SWFs that have cross-site scripting vulnerabilities.

* [http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html Cross-site Scripting through Flash in Gmail Based Services] - This is an example of a cross-site scripting vulnerability that was the result of passing tainted data to ExternalInterface.call.

* [http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw XSS Vulnerabilities in Common Flash Files] - This paper by Rich Cannings shows sample attack URLs for individual SWFs that are hosted across hundreds of websites. The techniques demonstrated in this paper for achieving cross-site scripting including using javascript: URLs, asfunction: URLs, and loading malicious child SWFs (aka cross-site Flashing).

* [http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004514.html clickTAG Cross-site scripting] - It is very common for Flash-based advertisements to accept a FlashVar called, clickTAG. If the clickTAG FlashVar is passed directly to a browser navigation API, such as getURL, then the attacker can achieve cross-site scripting by changing the clickTAG URL to a javascript: URL. Cross-site scripting as the result of a manipulated clickTAG FlashVar is the most common manifestation of cross-site scripting in Flash content.

* [http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html I used to know what you watched on YouTube] - Jeremiah Grossman's blog post regarding his attack on youTube.com's "*.google.com" cross-domain permission.

 

== References ==

* [http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004) OWASP Testing Guide: Testing for cross-site flashing] - Covers finding both cross-site scripting and cross-site flashing.

* [http://www.adobe.com/devnet/flashplayer/security.html Adobe Flash Player Developer Center Security section] - Where Adobe posts articles and information related to Flash Player security.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html Adobe Flash Player 10 Security Model]

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf Adobe Flash Player 9 Security Model]

* [http://www.adobe.com/support/security/ Adobe Security Bulletins and Advisories] This is where Adobe posts all of their security advisories and bulletins.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7f9b.html Applying Flex Security] The security chapter from the Adobe Flex 4 manual.

* [http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9b90204-7d23.html Flash Player Security] The security chapter from the Programming ActionScript 3.0 section the Flash CS4 Documentation.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7d14.html Developing and Loading Sub-applications] This Flex SDK framework allows two or more untrusted SWFs to pass limited information between each other through the use of Shared Events.

 
== Useful Specifications ==

* [http://www.adobe.com/devnet/swf/ SWF File Format Specification] This documents the file format and structure of SWF files.

* [http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf AVM2 Specification] Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf3_spec_05_05_08.pdf AMF3 Specification] The specification for version 3 of AMF used by Flash Player.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf0_spec_121207.pdf?version=1 AMF0 Specification] The specification for the first generation of AMF (AMF 0) used by Flash Player.

* [http://www.adobe.com/devnet/rtmp/ RTMP Specification] This is the specification for the Real Time Messaging Protocol used by SWF content

* [http://www.adobe.com/devnet/flv/ Video File Format Specification] The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.

* [http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html Cross-domain Policy File Specification] This document serves as a reference for the structure and use of cross-domain policy files.

* [http://www.mozilla.org/projects/tamarin/ Tamarin Open Source Project] The Tamarin virtual machine is used within the Adobe Flash Player and is also being adopted for use by projects outside Adobe. The Tamarin just-in-time compiler (the "NanoJIT") is a collaboratively developed component used by both Tamarin and Mozilla TraceMonkey.

 

== Third-party Security Libraries ==

* [http://crypto.hurlant.com/ AS3Crypto] - An ActionScript 3.0 cryptography library.

* [http://code.google.com/p/as3corelib/ as3corelib] - An Adobe sponsored Google Code project that contains ActionScript 3.0 implementations of WS-Security, SHA, MD5 and other utilities.

* [http://labs.adobe.com/wiki/index.php/Alchemy:Libraries Alchemy ActionScript 3 Crypto Wrapper] - An Adobe labs project to port OpenSSL to ActionScript using Alchemy (previously known as Flacc). Includes the SHA1, SHA2, MD5, PKCS12 and AES from OpenSSL.

* [http://code.google.com/p/flash-validators/ flash-validators] - An Adobe sponsored Google Code project that contains ActionScript 2.0 and ActionScript 3.0 data validation libraries.

* [http://bugs.adobe.com/jira/browse/BLZ-415 Protected Messaging Adaptor] - This addition to the latest version of BlazeDS protects against an attack that allows an untrusted individual to subscribe to wildcard sub-topics. This threat is described within this [http://www.jamesward.com/blog/2009/07/22/protected-messaging-in-flex-with-blazeds-and-lcds/ blog] by James Ward.

* [http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/mx/validators/package-detail.html Flex validators] - Validation routines contained within the Adobe Flex SDK.

 

== OWASP Tools ==

* [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder] OWASP Flash security testing tool

 
== Static Analysis ==

* [http://opensource.adobe.com/wiki/display/flexpmd/FlexPMD FlexPMD] Performs general code analysis with a few security checks.

* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Fortify Static Code Analyzer] '''($)''' Fortify's SCA supports searching for vulnerabilities within ActionScript 3.0, Flex 3 and Flex 4 applications.

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/ FlashDiggity] FlashDiggity is part of the SearchDiggity tool created by the Stach & Liu consulting firm. It will decompile the SWF and use regular expressions to search for strings that are security related.

* [http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167 SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

 

== Disassemblers ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] An Adobe Labs project that performs disassembly of ActionScript 2 and ActionScript 3. Also shows SWF Tag information.

* [http://flasm.sourceforge.net/ Flasm] Flasm provides both disassembly and assembly functionality.

* [http://www.docsultant.com/nemo440/ Nemo440] Nemo440 is an AIR based ActionScript 3.0 disassembler.

* [http://opensource.adobe.com/svn/opensource/flex/sdk/trunk/bin/ swfdump] The Adobe Flex SDK, when built with ant, creates the swfdump utility ([http://blogs.adobe.com/gosmith/2008/02/disassembling_a_swf_with_swfdu_1.html overview]).

* [http://code.google.com/p/erlswf/ ErlSWF] A SWF disassembly tool based authored in Erlang

* [http://www.masonchang.com/2008/06/building-abcdump.html abcdump] The abcdump tool can be built from the tamarin source tree to disassemble AS3 byte code.

* [http://www.sweetscape.com/010editor/ 010Editor] This commercial tool has a [http://www.sweetscape.com/010editor/templates/files/SWFTemplate.bt template] for analyzing AS2 byte code.

* [http://segfaultlabs.com/swfutils swfutils] An ActionScript 3 library for disassembling SWF files.

* [https://github.com/CyberShadow/RABCDAsm#readme RABCDAsm] RABCDAsm is a collection of utilities including an ActionScript 3 assembler/disassembler, and a few tools to manipulate SWF files.

* [http://yogda.com/ Yogda AVM2 Workbench] Yogda® is a development tool for intermediate/advanced actionscript programmers. It includes an AVM2 disassembler.

 

== Decompilers ==

* [http://www.flash-decompiler.com/ Flash Decompiler Trillix] '''($):''' Windows and Mac versions. Supports ActionScript 2.0 and ActionScript 3.0, Flash 5, 6, 7, 8, 9, 10, Flash CS5 and Flex. Able to extract resources,edit SWF elements and provide a source FLA file. Costs @ $80 plus tax/shipping.

* [https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

* [http://www.nowrap.de/flare.html Flare] Flare ActionScript 2.0 decompiler for Windows, Linux and Mac OS X.

* [http://www.buraks.com/asv/ Buraks ActionScript Viewer] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.sothink.com/product/flashdecompiler/ SoThink Flash Decompiler] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.dcomsoft.com/download/dfdinstall.exe Dump Flash Decompiler] Freeware program that treats compressed and decompressed SWF-files and shows the detailed structure in the tree form. Windows.

 

== Obfuscators ==

It should be noted that no obfuscator can protect a SWF from being reverse engineered. An attacker will always be able to extract data from SWFs if they believe it is worth the effort. Obfuscators are only serve as a deterrent for preventing casual inspection of the SWF.

It should also be noted that some obfuscators generate SWFs that do not conform to the Adobe SWF file format specification. Flash Player may still be able to play them but they do not conform to the spec. This could lead to some security tools such as Blitzablieter rejecting them as potentially malicious.

*[http://www.dcomsoft.com/ DComSoft SWF Protector] '''($):''' ActionScript 2.0/3.0 obfuscator for protecting your SWF files from Flash Decompilers. Available for Windows, Mac OS, Linux. Costs approximately $40.

 

== Local Shared Object Editors ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Cross-platform tool for viewing and editing LSOs.

* [http://solve.sourceforge.net/ SolVE] Cross-platform Local Shared Object editor and viewer.

* [http://sourceforge.net/projects/soleditor/ .sol Editor] Windows based Local Shared Object editor

 

== AMF Tools ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Allows sending of custom messages, simple fuzzing and service identification of AMF endpoints.

* [http://deblaze-tool.appspot.com/ DeBlaze] A free tool that attempts to identify AMF services through brute force, dictionary attacks.

* [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. Blazentoo provides the ability to seamlessly browse web content, abusing insecurely configured Proxy Services.

* [http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Full AMF support is currently checked into the main branch of the WebScarab project. It has not been rolled into the SourceForge or Java Web Start versions of the WebScarab project at the time of this writing.

* [http://code.google.com/p/webscarab-amf-plugin/ WebScarab AMF Plugin] This is a google code project to add AMF support as a plugin to WebScarab.

* [http://amfparser.codeplex.com/ AMF Parser] AMFParser plugin for Fiddler2 web debugger. It can be used for parsing and displaying AMF data inside HTTP's POST requests and responses.

* [http://code.google.com/p/pinta/ pinta] Pinta is a utility that allows a developer to test services by making custom AMF service calls, and viewing detailed output. This Google Code project is based on Adobe AIR.

* [http://www.charlesproxy.com/ Charles Proxy] '''($):''' This is a basic HTTP proxy but it provides support for interpreting AMF communications. Costs approximately $50.

* [http://releases.portswigger.net/2009/08/v1214.html Burp Suite Professional] '''($):''' The 1.2.124 version of Burp Suite Pro adds AMF support to all tools except for Burp Intruder and Burp Scanner is updated to automatically place attack payloads within string-based AMF values.

* [http://george.hedfors.com/content/action-message-format-amf-shell AMF Shell] AMF Shell is a command line utility based on Python that enumerates services and allows the user to send customized AMF messages to a server.

 

== Analysis ==

* [http://www.utdallas.edu/~mxs072100/ASIRM_project.html Certifying IRM for ActionScript Bytecode] This page contains the binaries for Meera Sridhar's research into using In-lined Reference Monitors to rewrite ActionScript bytecode for the purposes of policy enforcement. This project is currently targeted at AVM2 code.

* [http://blitzableiter.recurity.com/ Blitzablieter] Blitzablieter is a project currently run by Recurity Labs and the German government. The goal is to prevent malicious SWFs from entering a network through normalization and policy enforcement. This project currently handles AVM1 code.

* [http://wepawet.iseclab.org/ Wepawet] Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. It is currently run by University of California, Santa Barbara.

* [https://github.com/sporst/SWFREtools/ SWFRETools] The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.

 

== Project Contributors ==

The Flash Security project is run by [[:User:Puhley|Peleus Uhley]].

== Project Sponsors ==

The Flash Security project is sponsored by [http://www.mindedsecurity.com [[Image:|MindedLogo.PNG]]]

==== Project Identification ====

{{Template:Project Details/OWASP_Flash_Security_Project | OWASP Project Identification Tab}}

__NOTOC__ <headertabs />

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Flash Security Project]] [[Category:OWASP_Download]] [[Category:OWASP_Tool]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]

Category:OWASP Flash Security Project

2012-03-06T11:10:54Z

Puhley: /* AMF Tools */

==== Main ====

== Overview ==

The OWASP Flash Security Project is an open project for sharing knowledge in order to raise awareness of Flash application security.

== Goals ==

The OWASP Flash Security Project aims to share guidelines, tools and resources for securing Flash applications.

 

== Table of Contents ==

{| cellspacing="1" cellpadding="1" border="0" style="width: 651px; height: 66px;"
|-
| '''Research'''
| '''References'''
| '''Tools'''
| '''Libraries'''
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Videos Videos]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#References References]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#OWASP_Tools OWASP Tools]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Third-party_Security_Libraries 3rd Party Libs]
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#White_Papers_.2F_Presentations White Papers/Presentations]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Useful_Specifications Specifications]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Static_Analysis Static Analysis]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Articles Articles]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Disassemblers Disassemblers]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Example_Vulnerabilities Example Vulnerabilities]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Decompilers Decompilers]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Obfuscators Obfuscators]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Local_Shared_Object_Editors LSO Editors]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#AMF_Tools AMF Tools]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Analysis Analysis/Defense]
|
|}

 

== Videos ==

* [http://tv.adobe.com/show/how-to-develop-secure-flash-platform-apps/ How to Develop Secure Flash Platform Apps] An Adobe TV series discussing how to author and test secure Flash applications. The presentations cover common vulnerabilities in SWF content and how to avoid them. Each video is about 5-10 minutes long and is by Peleus Uhley.

* [http://tv.adobe.com/watch/max-2010-develop/creating-secure-actionscript-applications/ Creating Secure ActionScript Applications] An hour long video targeted at developers and QEs on creating secure Flash applications from Adobe MAX 2010. Adobe MAX is Adobe's developer conference. The talk is by Peleus Uhley.

* [http://vimeo.com/15506137 Assessing, Testing & Validating Flash Content] A 45 minute talk from OWASP AppSec USA 2010 on how to assess and test Flash applications. The talk is by Peleus Uhley.

* [http://tv.adobe.com/#vi+f15384v1102 Understanding the Flash Player Security Model] Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of Flash Player's security model. Approximately 1 hour long.

* [http://h30431.www3.hp.com/index.jsp?fr_story=3a98c704f7ef61299c19ef1f648f1acb1a5aeab8&rf=bm Billy Wins A Cheeseburger] A video by HP that explains a basic Flash vulnerability that can be found by decompilers. Approximately 3 minutes long.

* [http://securitytube.net/Hacking-Flash-Applications-for-Fun-and-Profit-(Blackhat)-video.aspx Blinded by Flash: Widespread Security Risks Flash Developers Don't See] Prajakta Jagdale describes the attack surface flash applications have based on various things developers overlook. In this presentation she talks about the basic cross domain security model between flash applets, Cross Site Scripting attacks on Flash applications, Data injection attacks, Flash malware, decompilation of Flash swf files, code and binary obfuscation and many other attack vectors which a malicious attacker could use to hack Flash applications. Approximately 1 hour long.

* [https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Jon%20Rose%20-%20Deblaze%20A%20Remote%20Method%20Enumeration%20Tool%20for%20Flex%20Servers%20-%20Video%20and%20Slides.m4v Deblaze - A Remote Method Enumeration Tool for Flex Servers] This is an excellent 20 minute presentation from DefCon 17 by Jon Rose on how to test AMF services using the deBlaze tool that he authored.

* [http://technet.microsoft.com/en-us/security/ee460903.aspx#ria RIA Security: Real-World Lessons from Flash and Silverlight] Jesse Collins from Microsoft's Silverlight team and Peleus Uhley from Adobe's Flash team discuss common threats to RIA applications. Approximately 1 hour long.

 

== White Papers / Presentations ==

'''Flash'''

* '''Flash Parameter Injection''' [http://blog.watchfire.com/FPI.pdf pdf], IBM Rational Application Security Team, [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference OWASP AppSec 2008], 24th September 2008, NYC, NY (USA)

* '''Testing Flash Applications using WebScarab''' [https://www.owasp.org/images/5/58/Testing_Flash_Applications.pdf pdf], Martin Clausen - Deloitte [http://www.owasp.org/index.php/Denmark Denmark Chapter Meeting], March 12, 2008, Denmark

* '''Testing Flash Applications''' [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda Owasp Appsec 2007], 17th May 2007, Milan (Italy).

* '''Testing and Exploiting Flash Applications''' [http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf pdf], Fukami, Chaos Computer Camp, 2007

* '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose, CA (USA)

* '''Neat, New, and Ridiculous Flash Hacks''' - whitepaper: [http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-wp.pdf pdf], presentation:[http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-slides.pdf pdf], Mike Bailey, Black Hat DC 2010, Washington, DC (USA)

 '''AMF'''

* '''Pentesting Adobe Flex Applications''' - [http://www.gdssecurity.com/l/OWASP_NYNJMetro_Pentesting_Flex.pdf pdf], Marcin Wielgoszewski, April 2010 OWASP NYC Chapter Meeting, NYC, NY (USA)

* '''DeBlaze: A remote enumeration tool for Flex servers''' [http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-jon_rose-deblaze.pdf pdf], Jon Rose, [http://www.defcon.org/html/links/dc-archives/dc-17-archive.html#Rose DefCon 17], 31 July 2009, Las Vegas, NV (USA)

 '''University Research'''

* '''ActionScript bytecode verification with co-logic programming''' [http://portal.acm.org/citation.cfm?id=1554339.1554342 pdf], Brian W. DeVries, Gopal Gupta, Kevin W. Hamlen, Scott Moore, and Meera Sridhar of The University of Texas at Dallas, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security 2009.

* '''Creating a more sophisticated security platform for Flash, AIR and others''' [http://www.utdallas.edu/~mxs072100/Adobe.ppt ppt] Presented at Adobe Systems, Inc. by Meera Sridhar, November, 2009

* '''ActionScript In-Lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl.pdf pdf], Meera Sridhar and Kevin W. Hamlen of The University of Texas at Dallas, Proceedings of the Twelfth Symposium on Practical Aspects of Declarative Languages (PADL), Jan 2010.

* '''ActionScript In-lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl10.pptx pptx] Presented at PADL 2010, Madrid, Spain by Meera Sridhar.

 

== Articles ==

'''Development'''
* [http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Creating more secure SWF web applications] This Adobe Developer Center article discusses secure ActionScript programming practices.

* [http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html Cross-domain policy file usage recommendations for Flash Player] This Adobe Developer Center article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server.

* [http://www.insideria.com/2010/03/flash-player-10-security-model.html Flash Player 10 Security Model: Stakeholders and Sandboxes] This is an article that condenses the official Flash Player Security Model down to a one page article discussing the stakeholders and sandboxes.

* [http://theflashblog.com/?p=419 AMFPHP Security Basics] This a blog covering how to secure AMFPHP version 1.9 and higher. AMFPHP is server-side code that receives AMF requests from Flash clients.

* [http://blogs.adobe.com/asset/2009/11/securely_deploying_cross-domai.html Securely Deploying Cross-Domain Policy files] This Adobe ASSET blog provides 5 tips for securely deploying cross-domain policy files.

* [http://askmeflash.com/article/16/securing-your-flash-application Securing your Flash Application] A quick ten item checklist of high level things to look for in your SWF before shipping.

* [http://www.senocular.com/flash/tutorials/contentdomains/ Security Domains, Application Domains, and More in ActionScript 3.0] A fairly in depth article by Senocular.com explaining security domains, application domains, cross-domain policy files, allowDomain() and more.

'''Penetration Testing'''
* [http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/ A Lazy Pen Tester’s Guide to Testing Flash Applications] A short blog describing some of the basic steps of testing Flash applications by iViZ.

* [http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/ Penetrating Intranets through Adobe Flex Applications] A short blog (03/17/2010) by Marcin Wielgoszewski of Gothan Digital Science introducing the [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] tool and how to take advantage of open BlazeDS proxies.

* [http://www.gdssecurity.com/l/b/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client/ Pentesting Adobe Flex Applications with a Custom AMF Client] A short blog (11/11/2009) by Marcin Wielgoszewski of Gothan Digital Science on how to write custom pyAMF-based clients for testing Flex services.

* [http://erlend.oftedal.no/blog/?blogid=103 Client-side Remote File Inclusion in Flash] This blog discusses how to perform cross-site scripting attacks against applications that read in XML configuration files.

* [http://code.google.com/p/doctype/wiki/ArticleFlashSecurity Flash Security] A Google code article on different types of cross-site scripting and crossdomain.xml attacks.

'''Updates to the Flash Player Security Model'''
* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10.1_air2_security_changes.html Understanding the security changes in Flash Player 10.1 and AIR 2] - This Adobe Developer Center article describes the new changes that affect security in Flash Player 10.1 and AIR. This article discusses a new feature, LoaderContext.allowCodeImport, which can help in safely loading remote content via loadBytes(). It also discusses minor changes in behavior that may require action by the developer.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html Understanding the security changes in Flash Player 10] - This Adobe Developer Center article describes the new changes that affect security in the Flash Player 10. This includes information on changes to socket timing, policy file strictness, upload and download, RTMFP and full screen mode.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_uia_requirements.html User-initiated action requirements in Flash Player 10] - This Adobe Developer Center article describes the new user-initiated action requires in Flash Player 10. These requirements include chances to FileReference, Clipboard, full-screen mode and pop-up windows.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html Preparing for the Flash Player 9 April 2008 Security Update] - This Adobe Developer Center article describes the new mitigations for DNS Rebinding (socket policy files), cross-site flashing and the introduction of cross-domain header meta-policies to help address attacks such as the UPnP attack.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html Security Changes in Flash Player 9] This Adobe Developer Center article describes the important changes that need to be made to existing crossdomain.xml and socket policy files. All websites that use cross-domain or socket policy files will need to implement these changes in order to be compatible with Adobe's new format. After the implementation of Phase II, Adobe will no longer support the old format.

 

== Example Vulnerabilities ==

''The intent of this section is to provide real-world examples of exploitation. This can be useful for consultants to help demonstrate to clients that these techniques have been used in the wild. In some instances, these examples include individual SWFs that were copied to hundreds of web sites. Therefore, a consultant should look for these specific SWFs on a website when performing an assessment to ensure that they have a current version.''

* [http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html Cross-site Scripting through Flash in Gmail Based Services] - This is an example of a cross-site scripting vulnerability that was the result of passing tainted data to ExternalInterface.call.

* [http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw XSS Vulnerabilities in Common Flash Files] - This paper by Rich Cannings shows sample attack URLs for individual SWFs that are hosted across hundreds of websites. The techniques demonstrated in this paper for achieving cross-site scripting including using javascript: URLs, asfunction: URLs, and loading malicious child SWFs (aka cross-site Flashing).

* [http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004514.html clickTAG Cross-site scripting] - It is very common for Flash-based advertisements to accept a FlashVar called, clickTAG. If the clickTAG FlashVar is passed directly to a browser navigation API, such as getURL, then the attacker can achieve cross-site scripting by changing the clickTAG URL to a javascript: URL. Cross-site scripting as the result of a manipulated clickTAG FlashVar is the most common manifestation of cross-site scripting in Flash content.

* [http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html I used to know what you watched on YouTube] - Jeremiah Grossman's blog post regarding his attack on youTube.com's "*.google.com" cross-domain permission.

 

== References ==

* [http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004) OWASP Testing Guide: Testing for cross-site flashing] - Covers finding both cross-site scripting and cross-site flashing.

* [http://www.adobe.com/devnet/flashplayer/security.html Adobe Flash Player Developer Center Security section] - Where Adobe posts articles and information related to Flash Player security.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html Adobe Flash Player 10 Security Model]

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf Adobe Flash Player 9 Security Model]

* [http://www.adobe.com/support/security/ Adobe Security Bulletins and Advisories] This is where Adobe posts all of their security advisories and bulletins.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7f9b.html Applying Flex Security] The security chapter from the Adobe Flex 4 manual.

* [http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9b90204-7d23.html Flash Player Security] The security chapter from the Programming ActionScript 3.0 section the Flash CS4 Documentation.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7d14.html Developing and Loading Sub-applications] This Flex SDK framework allows two or more untrusted SWFs to pass limited information between each other through the use of Shared Events.

 
== Useful Specifications ==

* [http://www.adobe.com/devnet/swf/ SWF File Format Specification] This documents the file format and structure of SWF files.

* [http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf AVM2 Specification] Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf3_spec_05_05_08.pdf AMF3 Specification] The specification for version 3 of AMF used by Flash Player.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf0_spec_121207.pdf?version=1 AMF0 Specification] The specification for the first generation of AMF (AMF 0) used by Flash Player.

* [http://www.adobe.com/devnet/rtmp/ RTMP Specification] This is the specification for the Real Time Messaging Protocol used by SWF content

* [http://www.adobe.com/devnet/flv/ Video File Format Specification] The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.

* [http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html Cross-domain Policy File Specification] This document serves as a reference for the structure and use of cross-domain policy files.

* [http://www.mozilla.org/projects/tamarin/ Tamarin Open Source Project] The Tamarin virtual machine is used within the Adobe Flash Player and is also being adopted for use by projects outside Adobe. The Tamarin just-in-time compiler (the "NanoJIT") is a collaboratively developed component used by both Tamarin and Mozilla TraceMonkey.

 

== Third-party Security Libraries ==

* [http://crypto.hurlant.com/ AS3Crypto] - An ActionScript 3.0 cryptography library.

* [http://code.google.com/p/as3corelib/ as3corelib] - An Adobe sponsored Google Code project that contains ActionScript 3.0 implementations of WS-Security, SHA, MD5 and other utilities.

* [http://labs.adobe.com/wiki/index.php/Alchemy:Libraries Alchemy ActionScript 3 Crypto Wrapper] - An Adobe labs project to port OpenSSL to ActionScript using Alchemy (previously known as Flacc). Includes the SHA1, SHA2, MD5, PKCS12 and AES from OpenSSL.

* [http://code.google.com/p/flash-validators/ flash-validators] - An Adobe sponsored Google Code project that contains ActionScript 2.0 and ActionScript 3.0 data validation libraries.

* [http://bugs.adobe.com/jira/browse/BLZ-415 Protected Messaging Adaptor] - This addition to the latest version of BlazeDS protects against an attack that allows an untrusted individual to subscribe to wildcard sub-topics. This threat is described within this [http://www.jamesward.com/blog/2009/07/22/protected-messaging-in-flex-with-blazeds-and-lcds/ blog] by James Ward.

* [http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/mx/validators/package-detail.html Flex validators] - Validation routines contained within the Adobe Flex SDK.

 

== OWASP Tools ==

* [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder] OWASP Flash security testing tool

 
== Static Analysis ==

* [http://opensource.adobe.com/wiki/display/flexpmd/FlexPMD FlexPMD] Performs general code analysis with a few security checks.

* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Fortify Static Code Analyzer] '''($)''' Fortify's SCA supports searching for vulnerabilities within ActionScript 3.0, Flex 3 and Flex 4 applications.

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/ FlashDiggity] FlashDiggity is part of the SearchDiggity tool created by the Stach & Liu consulting firm. It will decompile the SWF and use regular expressions to search for strings that are security related.

* [http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167 SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

 

== Disassemblers ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] An Adobe Labs project that performs disassembly of ActionScript 2 and ActionScript 3. Also shows SWF Tag information.

* [http://flasm.sourceforge.net/ Flasm] Flasm provides both disassembly and assembly functionality.

* [http://www.docsultant.com/nemo440/ Nemo440] Nemo440 is an AIR based ActionScript 3.0 disassembler.

* [http://opensource.adobe.com/svn/opensource/flex/sdk/trunk/bin/ swfdump] The Adobe Flex SDK, when built with ant, creates the swfdump utility ([http://blogs.adobe.com/gosmith/2008/02/disassembling_a_swf_with_swfdu_1.html overview]).

* [http://code.google.com/p/erlswf/ ErlSWF] A SWF disassembly tool based authored in Erlang

* [http://www.masonchang.com/2008/06/building-abcdump.html abcdump] The abcdump tool can be built from the tamarin source tree to disassemble AS3 byte code.

* [http://www.sweetscape.com/010editor/ 010Editor] This commercial tool has a [http://www.sweetscape.com/010editor/templates/files/SWFTemplate.bt template] for analyzing AS2 byte code.

* [http://segfaultlabs.com/swfutils swfutils] An ActionScript 3 library for disassembling SWF files.

* [https://github.com/CyberShadow/RABCDAsm#readme RABCDAsm] RABCDAsm is a collection of utilities including an ActionScript 3 assembler/disassembler, and a few tools to manipulate SWF files.

* [http://yogda.com/ Yogda AVM2 Workbench] Yogda® is a development tool for intermediate/advanced actionscript programmers. It includes an AVM2 disassembler.

 

== Decompilers ==

* [http://www.flash-decompiler.com/ Flash Decompiler Trillix] '''($):''' Windows and Mac versions. Supports ActionScript 2.0 and ActionScript 3.0, Flash 5, 6, 7, 8, 9, 10, Flash CS5 and Flex. Able to extract resources,edit SWF elements and provide a source FLA file. Costs @ $80 plus tax/shipping.

* [https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

* [http://www.nowrap.de/flare.html Flare] Flare ActionScript 2.0 decompiler for Windows, Linux and Mac OS X.

* [http://www.buraks.com/asv/ Buraks ActionScript Viewer] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.sothink.com/product/flashdecompiler/ SoThink Flash Decompiler] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.dcomsoft.com/download/dfdinstall.exe Dump Flash Decompiler] Freeware program that treats compressed and decompressed SWF-files and shows the detailed structure in the tree form. Windows.

 

== Obfuscators ==

It should be noted that no obfuscator can protect a SWF from being reverse engineered. An attacker will always be able to extract data from SWFs if they believe it is worth the effort. Obfuscators are only serve as a deterrent for preventing casual inspection of the SWF.

It should also be noted that some obfuscators generate SWFs that do not conform to the Adobe SWF file format specification. Flash Player may still be able to play them but they do not conform to the spec. This could lead to some security tools such as Blitzablieter rejecting them as potentially malicious.

*[http://www.dcomsoft.com/ DComSoft SWF Protector] '''($):''' ActionScript 2.0/3.0 obfuscator for protecting your SWF files from Flash Decompilers. Available for Windows, Mac OS, Linux. Costs approximately $40.

 

== Local Shared Object Editors ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Cross-platform tool for viewing and editing LSOs.

* [http://solve.sourceforge.net/ SolVE] Cross-platform Local Shared Object editor and viewer.

* [http://sourceforge.net/projects/soleditor/ .sol Editor] Windows based Local Shared Object editor

 

== AMF Tools ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Allows sending of custom messages, simple fuzzing and service identification of AMF endpoints.

* [http://deblaze-tool.appspot.com/ DeBlaze] A free tool that attempts to identify AMF services through brute force, dictionary attacks.

* [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. Blazentoo provides the ability to seamlessly browse web content, abusing insecurely configured Proxy Services.

* [http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Full AMF support is currently checked into the main branch of the WebScarab project. It has not been rolled into the SourceForge or Java Web Start versions of the WebScarab project at the time of this writing.

* [http://code.google.com/p/webscarab-amf-plugin/ WebScarab AMF Plugin] This is a google code project to add AMF support as a plugin to WebScarab.

* [http://amfparser.codeplex.com/ AMF Parser] AMFParser plugin for Fiddler2 web debugger. It can be used for parsing and displaying AMF data inside HTTP's POST requests and responses.

* [http://code.google.com/p/pinta/ pinta] Pinta is a utility that allows a developer to test services by making custom AMF service calls, and viewing detailed output. This Google Code project is based on Adobe AIR.

* [http://www.charlesproxy.com/ Charles Proxy] '''($):''' This is a basic HTTP proxy but it provides support for interpreting AMF communications. Costs approximately $50.

* [http://releases.portswigger.net/2009/08/v1214.html Burp Suite Professional] '''($):''' The 1.2.124 version of Burp Suite Pro adds AMF support to all tools except for Burp Intruder and Burp Scanner is updated to automatically place attack payloads within string-based AMF values.

* [http://george.hedfors.com/content/action-message-format-amf-shell AMF Shell] AMF Shell is a command line utility based on Python that enumerates services and allows the user to send customized AMF messages to a server.

 

== Analysis ==

* [http://www.utdallas.edu/~mxs072100/ASIRM_project.html Certifying IRM for ActionScript Bytecode] This page contains the binaries for Meera Sridhar's research into using In-lined Reference Monitors to rewrite ActionScript bytecode for the purposes of policy enforcement. This project is currently targeted at AVM2 code.

* [http://blitzableiter.recurity.com/ Blitzablieter] Blitzablieter is a project currently run by Recurity Labs and the German government. The goal is to prevent malicious SWFs from entering a network through normalization and policy enforcement. This project currently handles AVM1 code.

* [http://wepawet.iseclab.org/ Wepawet] Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. It is currently run by University of California, Santa Barbara.

* [https://github.com/sporst/SWFREtools/ SWFRETools] The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.

 

== Project Contributors ==

The Flash Security project is run by [[:User:Puhley|Peleus Uhley]].

== Project Sponsors ==

The Flash Security project is sponsored by [http://www.mindedsecurity.com [[Image:|MindedLogo.PNG]]]

==== Project Identification ====

{{Template:Project Details/OWASP_Flash_Security_Project | OWASP Project Identification Tab}}

__NOTOC__ <headertabs />

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Flash Security Project]] [[Category:OWASP_Download]] [[Category:OWASP_Tool]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]