This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Category:OWASP Flash Security Project"
(→References) |
(→White Papers) |
||
| Line 40: | Line 40: | ||
[3] '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose CA (USA) | [3] '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose CA (USA) | ||
| + | |||
| + | == Videos == | ||
| + | |||
| + | [1] [http://tv.adobe.com/#vi+f15384v1102 Understanding the Flash Player Security Model] Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of the Flash Player security model. | ||
== Articles == | == Articles == | ||
Revision as of 15:58, 19 February 2009
Overview
OWASP Flash Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of Flash applications security.
Goals
The OWASP Flash Security Project aims is to produce guidelines and tools around Flash Security
OWASP Tools
OWASP Flash security testing toolSWFIntruder
Open Source Tools
Flasm assembler and disassembler Flasm
Flare ActionScript 2.0 decompiler Flare
Nemo440 AIR based ActionScript 3.0 disassmbler Nemo440
SolVE Local Shared Object Editor and Viewer SolVE
.sol Editor Local Shared Object Editor .sol
Third-party Libraries
AS3Crypto - An ActionScript 3.0 cryptography library.
as3corelib - An Adobe sponsored Google Code project that contains ActionScript 3.0 implementations of WS-Security, SHA, MD5 and other utilities.
Alchemy ActionScript 3 Crypto Wrapper - An Adobe labs project to port OpenSSL to ActionScript using Alchemy (previously known as Flacc). Includes the SHA1, SHA2, MD5, PKCS12 and AES from OpenSSL.
flash-validators - An Adobe sponsored Google Code project that contains ActionScript 2.0 and ActionScript 3.0 data validation libraries.
White Papers
[1] Flash Parameter Injection pdf, IBM Rational Application Security Team, OWASP AppSec 2008, 24th September 2008, NYC, NY (USA)
[2] Testing Flash Applications ppt, Stefano Di Paola, Owasp Appsec 2007, 17th May 2007, Milan (Italy).
[3] Finding Vulnerabilities in Flash Applications ppt, Stefano Di Paola, Owasp Appsec 2007, 15th November 2007, San Jose CA (USA)
Videos
[1] Understanding the Flash Player Security Model Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of the Flash Player security model.
Articles
[1] Creating more secure SWF web applications This Adobe Developer Center article discusses secure ActionScript programming practices.
[2] Understanding the security changes in Flash Player 10 - This Adobe Developer Center article describes the new changes that affect security in the Flash Player 10. This includes information on changes to socket timing, policy file strictness, upload and download, RTMFP and full screen mode.
[3] User-initiated action requirements in Flash Player 10 - This Adobe Developer Center article describes the new user-initiated action requires in Flash Player 10. These requirements include chances to FileReference, Clipboard, full-screen mode and pop-up windows.
[4] Preparing for the Flash Player 9 April 2008 Security Update - This Adobe Developer Center article describes the new mitigations for DNS Rebinding (socket policy files), cross-site flashing and the introduction of cross-domain header meta-policies to help address attacks such as the UPnP attack.
[5] Security Changes in Flash Player 9 This Adobe Developer Center article describes the important changes that need to be made to existing crossdomain.xml and socket policy files. All websites that use cross-domain or socket policy files will need to implement these changes in order to be compatible with Adobe's new format. After the implementation of Phase II, Adobe will no longer support the old format.
References
Adobe Flash Player Developer Center Security section - Where Adobe posts articles and information related to Flash Player security.
Adobe Flash Player 10 Security Model
Adobe Flash Player 9 Security Model
Adobe Security Bulletins and Advisories This is where Adobe posts all of their security advisories and bulletins.
Applying Flex Security The security chapter from the Adobe Flex 3 manual.
Flash Player Security The security chapter from the Programming ActionScript 3.0 section the Flash CS4 Documentation.
Flex SDK Marshall Plan This framework allows two untrusted SWFs to pass limited information between each other through the use of Shared Events.
Project Contributors
The Flash Security project is run by Stefano Di Paola. He can be contacted at stefano.dipaola AT mindedsecurity.com.
Project Sponsors
The Flash Security project is sponsored by
This category currently contains no pages or media.
