Discussion on an automatic XSS Detection Method in Flash

Before 0x00

For how to detect XSS in Flash, everyone has their own methods, whether it is using automated tools (such as swfscan) or self-developed automation tools (decompile first, and then Audit The actionscript code) or manually audits the code. Can detect the XSS vulnerability in Flash. However, these methods may have some problems, such:

Automated tools are static analysis with high false positives and require a large amount of manual effort for analysis.

Full labor is the best, but it also consumes more energy.

Here we will discuss a method for dynamic detection of XSS in Flash. This method has its own advantages, but also has obvious disadvantages. Therefore, the title of this article is "discussion ".

0x01 Principle

The so-called dynamic detection is to load the Flash plug-in through a program, then load the Flash file, capture the event and error information, and then analyze the information to determine whether there is an XSS vulnerability in Flash.

Let's take a look at the following two figures, taking the Firefox browser as an example:

Firefox access http://test.com/xss.swf? Alert = 1. The JS Code is successfully executed in Flash. A dialog box is displayed.

Firefox access http://test.com/xss.swf? Alert = 1 \ ", Flash executes JS to report an error and displays the error details. Firefox displays detailed error messages when Flash executes JS errors.

Here we will understand the principle of detection, that is:

◆ Program calls Firefox

◆ Loading Flash plug-in Firefox

◆ Firefox access to parameters through the construction of Flash links, such as http://test.com/xss.swf? Alert = 1 \"

◆ Program Capture error messages or alert events

◆ Determine whether the Flash has an XSS vulnerability based on the error message or alert event information.

0x02 implementation

How to implement it? We will not really call Firefox, but directly adopt a set of open-source sdks that can parse JS: CasperJS. The following is an introduction to the official CasperJS Website:

CasperJS is an open source navigation scripting & testing utility written in Javascript for the PhantomJS WebKit headless browser and SlimerJS (Gecko ).

CasperJS currently supports two engines: PhantomJS (WebKit kernel) and SlimerJS (Gecko kernel ). The Gecko kernel is the kernel used by Firefox. It is also known through the CasperJS documentation that the Flash plug-in can be loaded through loadPlugins when the SlimerJS engine is used.

So we can use CasperJS to fulfill our functional requirements. below is the code implementation:

Flash_detect.js

 
 

  
  
var casper = require('casper').create({  
  
  
    pageSettings: {  
  
  
        loadImages:  true,   
  
  
        loadPlugins: true // load flash plugin  
  
  
    },  
  
  
    logLevel: "info",  
  
  
    verbose: false 
  
  
});  
  
  
   
  
  
casper.start('about:blank', function() {});  
  
  
   
  
  
// catch alert   
  
  
casper.on('remote.alert', function(message) {  
  
  
    this.echo('{"type": "alert", "msg":"' + message + '"}');  
  
  
});  
  
  
   
  
  
// catch page error info  
  
  
casper.on('page.error', function(message, trace) {  
  
  
        this.echo('{"type": "error", "msg":"' + message + '"}');  
  
  
});  
  
  
   
  
  
var url = casper.cli.get(0);  
  
  
   
  
  
casper.thenOpen(url, function() {  
  
  
        this.wait(2000, function(){})   // delay 2's  
  
  
});  
  
  
   
  
  
casper.run(); 
 
 

The code is simple, that is, access the Flash file through CasperJS, and then capture error messages and alert events on the page. Note that some Flash files do not immediately execute JS Code. Therefore, after opening a Flash file, we will stay on the current page for 2 seconds.

0x03 execution results

We checked the Flash file with this detection code to see the effect, as shown below:

 
 

  
  
piaca at piaca in ~/source$ casperjs --engine=slimerjs flash_detect.js "http://test.com/xss.swf?alert=1" 
  
  
{"type": "alert", "msg":"1"}  
  
  
   
  
  
piaca at piaca in ~/source$ casperjs --engine=slimerjs flash_detect.js "http://test.com/xss.swf?alert=1\\\"" 
  
  
{"type": "error", "msg":"SyntaxError: missing ) after argument list"} 
 
 

0x04

In reality, I access some services on the Internet, capture the Flash, and then detect it through the program. The effect is good. Of course, this includes Flash XSS vulnerabilities in our own business.

However, the current detection program can only be a Demo. to use it in the production environment, you need to solve the following problems:

Efficiency:Currently, the single-process and single-thread detection will affect the detection efficiency. At the same time, because SlimerJS will open a GUI window, it will also affect the efficiency to a certain extent;

False positive:In the Demo, we didn't handle too many error messages, so there will be a lot of false positives in the actual test;

Parameters:The parameters here are only parameters for receiving Flash files. We can quickly obtain Flash files in the business through log analysis. But how can we get all the parameter names received by Flash?

The above problems are not fatal. We can solve them in multiple ways, but as mentioned above, this detection program has a fatal drawback:

This detection script can only detect obvious XSS vulnerabilities. If Flash has some processing measures for parameters, it may not be able to detect them;

Therefore, this article only discusses how to automatically detect XSS vulnerabilities in Flash.