Automated Crawling & Security Testing of Flash/Flex Web Applications OWASP Ronen Bachar Organization: IBM email: [email protected] Phone: 09-9629852 14/9/2008 Copyright © The OWASP Foundation Permission is granted to copy, distribute.
Download
Report
Transcript Automated Crawling & Security Testing of Flash/Flex Web Applications OWASP Ronen Bachar Organization: IBM email: [email protected] Phone: 09-9629852 14/9/2008 Copyright © The OWASP Foundation Permission is granted to copy, distribute.
Automated Crawling & Security
Testing of Flash/Flex Web
Applications
OWASP
Ronen Bachar
Organization: IBM
email: [email protected]
Phone: 09-9629852
14/9/2008
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Agenda
Introduction to Flash/Flex applications
AMF
High level description
AMF data format and its usage
Automated Flash Testing Challenges
Automated Crawling
Automated Testing
Overview of security risks in Flash/Flex
applications
OWASP
2
Flash/Flex Introduction
Flash
Developed by Macromedia (now Adobe)
Flash is used to create animations, ads, and various Web
components, to integrate video into web pages and, more
recently, to develop RIA
Can be consumed as web page element or standalone
application
Includes Scripting languages - Action Script 1, 2 & 3
Flash player
Runs Flash content (SWF file format)
Available as a plug-in for browsers (such as Mozilla Firefox and
Internet Explorer) or as standalone application
Each version is completely backward-compatible
OWASP
3
Flash/Flex Introduction (ctd.)
Flex
Flex provides a framework for developing RIAs that
run in Flash Player
Instead of forcing applications into the “animation”
model, developers can program real applications
using MXML (XML document) for layout user-interface
components, and Action Script for programming
Requires Flash Player v9
Same File Format (SWF)
Supports only Action Script 3
AJAX-like attributes
OWASP
4
Flash/Flex Introduction (ctd.)
When Flash movie is embedded in Web page:
Flash DOM: interacts with DOM by executing
JavaScript code
JavaScript (HTML Host) Flash Object
Host (Browser)
Flash Player
Flash Movie
(SWF)
OWASP
5
Flash in HTML page
OWASP
6
AMF - ActionScript Message Format
A binary message format
Used primarily to exchange data between Flash/Flex
application and server side component, by serializing
Action Script data types
NetConnection uses AMF to send messages to a server
to asynchronously invoke remote services (RPC)
AMF 0, 3 - require Flash Player 9
AMF protocol specification is available (see references)
Understanding AMF format is crucial for manipulating
(fuzzing) applications that use AMF
OWASP
7
AMF Format Description
Version: 0, 3
Header(s):
Header Name
Data: Serialized data (binary)
Message(s):
Target URI: Service name/Response result
Response URI: /id
Data: Serialized data (binary)
OWASP
8
AMF Example
Response (decoded)
Request (raw format)
Request (decoded)
OWASP
9
Challenges of Crawling Flash
In order to properly test Flash/Flex-based applications,
we have to crawl them
Detect server-side end-points (new URLs)
Detect client-side states and logic (Flash Application tree)
We must play the Flash movie in its “native” context
Flash movie runs in the original HTML page
Browser - include JavaScript engine (for JSFlash interaction)
Use Flash Player plug-in
We must support dynamic content too (where script
creates content on the fly), parsing is not enough!
OWASP
10
Challenges of Crawling Flash (Cont.)
States in Flash application
Navigation in Flash application
Blind Crawling (soundless, no pop-ups, no
visuals)
Support inline movie too
Since Flash Player is designed only to play
movies, its programming interface is limited
OWASP
11
State Management in Flash applications
Flash Applications are primarily based on
animation. We encounter the following issues:
How do we identify/define “application state”?
How do we get the current state?
Figuring out that the current state is over/idle?
We define “state” as “GUI Object” container, i.e.
Movie Clips, Buttons & Text Fields
Heuristics & Flash Plug-in gives us hints that the
player is “idle”
OWASP
12
Navigation in Flash Application
Navigate Flash application in its native flow
still hard to define correct “functional flow”
Build application tree (each node represents a state)
Get current state details (GUI Objects(
Activate each GUI object according to type:
Button – click on it, move mouse over a button area.
TextField – fill it in
MovieClip – click on it
Navigating between states through Flash
Unfortunately, navigating back is not trivial
We need to store and play sequences
OWASP
13
Flash Application tree
Root
(State B)
B1 B2 MC1
(State A)
MC2
State C
State D
State E
State F
OWASP
14
Testing Flash Applications
Identify controlled Flash parameters:
Query parameters (from HTML)
http://domain/movie.swf?param1=value1
FlashVars (from HTML)
<param name="FlashVars" value=“param1=value1">
Uninstantiated variables (from Action Script)
getURL (clickTag,'_self')
Locate potentially dangerous code:
Where controlled Flash parameters are used inside
PDNFs (getURL, loadMovie, loadVariables, etc.)
Save sequences leading to potentially dangerous code
Associate with parameter
OWASP
15
Testing Flash Applications (ctd.)
Mutation - Inject values to the parameters
XSS: parm1=javascript:window.open(‘http://my.site’(
XSF: param2=www.movie.swf
Phishing: param3=www.my.site
Validation
Play relevant sequence belongs to mutated parameter
Verify test results
Browser events
Action Script level
OWASP
16
Testing AMF Parameters
Testing Server-side AMF-speaking end-points
Using standard parameter tampering techniques
on AMF message fields: XSS, SQLi, HTTP
Response Splitting, Command Execution, Etc.
' having 1=1--
Original Request
Mutated Request
OWASP
17
Overview of security risks in Flash/Flex applications
XSS Through Flash
Read & Write access to HTML page or javascript code
XSF
Read & Write access to SWF loader or HTML or
javascript code
Phishing Through Flash
AMF Parameters
XSS, SQLi
Cross Domain Promiscuous Access
Read & Write access to HTML page or javascript code
OWASP
18
Recommendations
HTML Code
“allowNetworking” set to ‘internal’
“allowScriptAccess” set to ‘samedomain’
Perform data validation on variables sent to URL
functions
Refining access with “crossdomain.xml”
Use fscommand or ExternalInterface.call Instead
of "javascript:”
Compiler settings:
Compile Flash movie for Flash Player 8 or latter
Set Omit trace flag
OWASP
19
References
Creating more secure SWF web applications:
http://www.adobe.com/devnet/flashplayer/articles/secur
e_swf_apps.html
Adobe Flash Player 9 Security:
http://www.adobe.com/devnet/flashplayer/articles/flash_
player_9_security.pdf
AMF 0 Specification:
http://download.macromedia.com/pub/labs/amf/amf0_s
pec_121207.pdf
AMF 3 Specification:
http://download.macromedia.com/pub/labs/amf/amf3_s
pec_121207.pdf
Testing Flash Applications (Stefano Di Paola / OWASP):
http://www.wisec.it/en/Docs/flash_App_testing_Owasp0
7.pdf
OWASP
20