This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Category:OWASP Flash Security Project

From OWASP
Revision as of 02:02, 5 September 2009 by Puhley (talk | contribs) (White Papers / Presentations)

Jump to: navigation, search

Main

Overview

OWASP Flash Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of Flash applications security.

Goals

The OWASP Flash Security Project aims is to produce guidelines and tools around Flash Security


White Papers / Presentations

Flash

[1] Flash Parameter Injection pdf, IBM Rational Application Security Team, OWASP AppSec 2008, 24th September 2008, NYC, NY (USA)

[2] Testing Flash Applications using WebScarab pdf, Martin Clausen - Deloitte Denmark Chapter Meeting, March 12, 2008, Denmark

[3] Testing Flash Applications ppt, Stefano Di Paola, Owasp Appsec 2007, 17th May 2007, Milan (Italy).

[4] Testing and Exploiting Flash Applications pdf, Fukami, Chaos Computer Camp, 2007

[5] Finding Vulnerabilities in Flash Applications ppt, Stefano Di Paola, Owasp Appsec 2007, 15th November 2007, San Jose, CA (USA)


AMF

[1] DeBlaze: A remote enumeration tool for Flex servers pdf, Jon Rose, DefCon 17, 31 July 2009, Las Vegas, NV (USA)

Videos

[1] Understanding the Flash Player Security Model Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of Flash Player's security model. Approximately 1 hour long.

[2] Billy Wins A Cheeseburger A video by HP that explains a basic Flash vulnerability that can be found by decompilers. Approximately 3 minutes long.

Articles

[1] Creating more secure SWF web applications This Adobe Developer Center article discusses secure ActionScript programming practices.

[2] Understanding the security changes in Flash Player 10 - This Adobe Developer Center article describes the new changes that affect security in the Flash Player 10. This includes information on changes to socket timing, policy file strictness, upload and download, RTMFP and full screen mode.

[3] User-initiated action requirements in Flash Player 10 - This Adobe Developer Center article describes the new user-initiated action requires in Flash Player 10. These requirements include chances to FileReference, Clipboard, full-screen mode and pop-up windows.

[4] Preparing for the Flash Player 9 April 2008 Security Update - This Adobe Developer Center article describes the new mitigations for DNS Rebinding (socket policy files), cross-site flashing and the introduction of cross-domain header meta-policies to help address attacks such as the UPnP attack.

[5] Security Changes in Flash Player 9 This Adobe Developer Center article describes the important changes that need to be made to existing crossdomain.xml and socket policy files. All websites that use cross-domain or socket policy files will need to implement these changes in order to be compatible with Adobe's new format. After the implementation of Phase II, Adobe will no longer support the old format.

References

OWASP Testing Guide: Testing for cross-site flashing - Covers finding both cross-site scripting and cross-site flashing.

Adobe Flash Player Developer Center Security section - Where Adobe posts articles and information related to Flash Player security.

Adobe Flash Player 10 Security Model

Adobe Flash Player 9 Security Model

Adobe Security Bulletins and Advisories This is where Adobe posts all of their security advisories and bulletins.

Applying Flex Security The security chapter from the Adobe Flex 3 manual.

Flash Player Security The security chapter from the Programming ActionScript 3.0 section the Flash CS4 Documentation.

Flex SDK Marshall Plan This framework allows two untrusted SWFs to pass limited information between each other through the use of Shared Events.

Useful Specifications

AVM2 Specification Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

AMF3 Specification The specification for version 3 of AMF used by Flash Player.

AMF0 Specification The specification for the first generation of AMF (AMF 0) used by Flash Player.

RTMP Specification This is the specification for the Real Time Messaging Protocol used by SWF content

Third-party Security Libraries

AS3Crypto - An ActionScript 3.0 cryptography library.

as3corelib - An Adobe sponsored Google Code project that contains ActionScript 3.0 implementations of WS-Security, SHA, MD5 and other utilities.

Alchemy ActionScript 3 Crypto Wrapper - An Adobe labs project to port OpenSSL to ActionScript using Alchemy (previously known as Flacc). Includes the SHA1, SHA2, MD5, PKCS12 and AES from OpenSSL.

flash-validators - An Adobe sponsored Google Code project that contains ActionScript 2.0 and ActionScript 3.0 data validation libraries.

Protected Messaging Adaptor - This addition to the latest version of BlazeDS protects against an attack that allows an untrusted individual to subscribe to wildcard sub-topics. This threat is described within this blog by James Ward.

OWASP Tools

SWFIntruder OWASP Flash security testing tool

Disassemblers

Flasm Flasm provides both disassembly and assembly functionality.

Nemo440 Nemo440 is an AIR based ActionScript 3.0 disassembler.

swfdump The Adobe Flex SDK, went built with ant, creates a swfdump utility

ErlSWF A SWF disassembly tool based authored in Erlang

abcdump The abcdump tool can be built from the tamarin source tree to disassemble AS3 byte code.

010Editor This commercial tool has a template for analyzing AS2 byte code.

Decompilers

SWFScan This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

Flare Flare ActionScript 2.0 decompiler for Windows.

Buraks ActionScript Viewer ($): An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

SoThink Flash Decompiler ($): An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

Local Shared Object Editors

SolVE Cross-platform Local Shared Object editor and viewer.

.sol Editor Windows based Local Shared Object editor

AMF Tools

DeBlaze A free tool that attempts to identify AMF services through brute force, dictionary attacks.

WebScarab Full AMF support is currently checked into the main branch of the WebScarab project. It has not been rolled into the SourceForge or Java Web Start versions of the WebScarab project at the time of this writing.

Charles Proxy ($): This is a basic HTTP proxy but it provides support for interpreting AMF communications. Costs approximately $50.

Project Contributors

The Flash Security project is run by Peleus Uhley.

Project Sponsors

The Flash Security project is sponsored by MindedLogo.PNG

Project Identification


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What does this OWASP project release offer you?
what is this project?
OWASP Flash Security Project

Purpose: OWASP Flash Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of Flash applications security.

License: N/A

who is working on this project?
Project Leader: Peleus Uhley

Project Maintainer:

Project Contributor(s): N/A

how can you learn more?
Project Pamphlet: N/A

3x slide Project Presentation: N/A

Mailing list: Subscribe or read the archives

Project Roadmap: N/A

Main links: N/A

Project Health: Yellow button.JPG Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

Key Contacts
  • Contact Peleus Uhley to contribute, review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
First Release - Unknown Date - (no download available)

Release Leader: N/A

Release details: N/A :

Rating: Yellow button.JPG Not Reviewed
To be reviewed under Assessment Criteria v2.0



This category currently contains no pages or media.