Automated Crawling & Security Testing of Flash/Flex Web Applications OWASP Ronen Bachar Organization: IBM email: [email protected] Phone: 09-9629852 14/9/2008 Copyright © The OWASP Foundation Permission is granted to copy, distribute.
Download ReportTranscript Automated Crawling & Security Testing of Flash/Flex Web Applications OWASP Ronen Bachar Organization: IBM email: [email protected] Phone: 09-9629852 14/9/2008 Copyright © The OWASP Foundation Permission is granted to copy, distribute.
Automated Crawling & Security Testing of Flash/Flex Web Applications OWASP Ronen Bachar Organization: IBM email: [email protected] Phone: 09-9629852 14/9/2008 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Agenda Introduction to Flash/Flex applications AMF High level description AMF data format and its usage Automated Flash Testing Challenges Automated Crawling Automated Testing Overview of security risks in Flash/Flex applications OWASP 2 Flash/Flex Introduction Flash Developed by Macromedia (now Adobe) Flash is used to create animations, ads, and various Web components, to integrate video into web pages and, more recently, to develop RIA Can be consumed as web page element or standalone application Includes Scripting languages - Action Script 1, 2 & 3 Flash player Runs Flash content (SWF file format) Available as a plug-in for browsers (such as Mozilla Firefox and Internet Explorer) or as standalone application Each version is completely backward-compatible OWASP 3 Flash/Flex Introduction (ctd.) Flex Flex provides a framework for developing RIAs that run in Flash Player Instead of forcing applications into the “animation” model, developers can program real applications using MXML (XML document) for layout user-interface components, and Action Script for programming Requires Flash Player v9 Same File Format (SWF) Supports only Action Script 3 AJAX-like attributes OWASP 4 Flash/Flex Introduction (ctd.) When Flash movie is embedded in Web page: Flash DOM: interacts with DOM by executing JavaScript code JavaScript (HTML Host) Flash Object Host (Browser) Flash Player Flash Movie (SWF) OWASP 5 Flash in HTML page OWASP 6 AMF - ActionScript Message Format A binary message format Used primarily to exchange data between Flash/Flex application and server side component, by serializing Action Script data types NetConnection uses AMF to send messages to a server to asynchronously invoke remote services (RPC) AMF 0, 3 - require Flash Player 9 AMF protocol specification is available (see references) Understanding AMF format is crucial for manipulating (fuzzing) applications that use AMF OWASP 7 AMF Format Description Version: 0, 3 Header(s): Header Name Data: Serialized data (binary) Message(s): Target URI: Service name/Response result Response URI: /id Data: Serialized data (binary) OWASP 8 AMF Example Response (decoded) Request (raw format) Request (decoded) OWASP 9 Challenges of Crawling Flash In order to properly test Flash/Flex-based applications, we have to crawl them Detect server-side end-points (new URLs) Detect client-side states and logic (Flash Application tree) We must play the Flash movie in its “native” context Flash movie runs in the original HTML page Browser - include JavaScript engine (for JSFlash interaction) Use Flash Player plug-in We must support dynamic content too (where script creates content on the fly), parsing is not enough! OWASP 10 Challenges of Crawling Flash (Cont.) States in Flash application Navigation in Flash application Blind Crawling (soundless, no pop-ups, no visuals) Support inline movie too Since Flash Player is designed only to play movies, its programming interface is limited OWASP 11 State Management in Flash applications Flash Applications are primarily based on animation. We encounter the following issues: How do we identify/define “application state”? How do we get the current state? Figuring out that the current state is over/idle? We define “state” as “GUI Object” container, i.e. Movie Clips, Buttons & Text Fields Heuristics & Flash Plug-in gives us hints that the player is “idle” OWASP 12 Navigation in Flash Application Navigate Flash application in its native flow still hard to define correct “functional flow” Build application tree (each node represents a state) Get current state details (GUI Objects( Activate each GUI object according to type: Button – click on it, move mouse over a button area. TextField – fill it in MovieClip – click on it Navigating between states through Flash Unfortunately, navigating back is not trivial We need to store and play sequences OWASP 13 Flash Application tree Root (State B) B1 B2 MC1 (State A) MC2 State C State D State E State F OWASP 14 Testing Flash Applications Identify controlled Flash parameters: Query parameters (from HTML) http://domain/movie.swf?param1=value1 FlashVars (from HTML) <param name="FlashVars" value=“param1=value1"> Uninstantiated variables (from Action Script) getURL (clickTag,'_self') Locate potentially dangerous code: Where controlled Flash parameters are used inside PDNFs (getURL, loadMovie, loadVariables, etc.) Save sequences leading to potentially dangerous code Associate with parameter OWASP 15 Testing Flash Applications (ctd.) Mutation - Inject values to the parameters XSS: parm1=javascript:window.open(‘http://my.site’( XSF: param2=www.movie.swf Phishing: param3=www.my.site Validation Play relevant sequence belongs to mutated parameter Verify test results Browser events Action Script level OWASP 16 Testing AMF Parameters Testing Server-side AMF-speaking end-points Using standard parameter tampering techniques on AMF message fields: XSS, SQLi, HTTP Response Splitting, Command Execution, Etc. ' having 1=1-- Original Request Mutated Request OWASP 17 Overview of security risks in Flash/Flex applications XSS Through Flash Read & Write access to HTML page or javascript code XSF Read & Write access to SWF loader or HTML or javascript code Phishing Through Flash AMF Parameters XSS, SQLi Cross Domain Promiscuous Access Read & Write access to HTML page or javascript code OWASP 18 Recommendations HTML Code “allowNetworking” set to ‘internal’ “allowScriptAccess” set to ‘samedomain’ Perform data validation on variables sent to URL functions Refining access with “crossdomain.xml” Use fscommand or ExternalInterface.call Instead of "javascript:” Compiler settings: Compile Flash movie for Flash Player 8 or latter Set Omit trace flag OWASP 19 References Creating more secure SWF web applications: http://www.adobe.com/devnet/flashplayer/articles/secur e_swf_apps.html Adobe Flash Player 9 Security: http://www.adobe.com/devnet/flashplayer/articles/flash_ player_9_security.pdf AMF 0 Specification: http://download.macromedia.com/pub/labs/amf/amf0_s pec_121207.pdf AMF 3 Specification: http://download.macromedia.com/pub/labs/amf/amf3_s pec_121207.pdf Testing Flash Applications (Stefano Di Paola / OWASP): http://www.wisec.it/en/Docs/flash_App_testing_Owasp0 7.pdf OWASP 20