OWASP IL Flash Flex Automated Testing


Presentation Description

OWASP IL Flash Flex Automated Testing


Presentation Transcript

Automated Crawling & Security Testing of Flash/Flex Web Applications : 

Automated Crawling & Security Testing of Flash/Flex Web Applications Ronen Bachar Organization: IBM email: rbachar@il.ibm.com Phone: 09-9629852 14/9/2008

Agenda : 

2 Agenda Introduction to Flash/Flex applications AMF High level description AMF data format and its usage Automated Flash Testing Challenges Automated Crawling Automated Testing Overview of security risks in Flash/Flex applications

Flash/Flex Introduction : 

3 Flash/Flex Introduction Flash Developed by Macromedia (now Adobe) Flash is used to create animations, ads, and various Web components, to integrate video into web pages and, more recently, to develop RIA Can be consumed as web page element or standalone application Includes Scripting languages - Action Script 1, 2 & 3 Flash player Runs Flash content (SWF file format) Available as a plug-in for browsers (such as Mozilla Firefox and Internet Explorer) or as standalone application Each version is completely backward-compatible

Flash/Flex Introduction (ctd.) : 

4 Flash/Flex Introduction (ctd.) Flex Flex provides a framework for developing RIAs that run in Flash Player Instead of forcing applications into the “animation” model, developers can program real applications using MXML (XML document) for layout user-interface components, and Action Script for programming Requires Flash Player v9 Same File Format (SWF) Supports only Action Script 3 AJAX-like attributes

Flash/Flex Introduction (ctd.) : 

5 Flash/Flex Introduction (ctd.) When Flash movie is embedded in Web page: Flash  DOM: interacts with DOM by executing JavaScript code JavaScript (HTML Host)  Flash Object

Flash in HTML page : 

6 Flash in HTML page

AMF - ActionScript Message Format : 

7 AMF - ActionScript Message Format A binary message format Used primarily to exchange data between Flash/Flex application and server side component, by serializing Action Script data types NetConnection uses AMF to send messages to a server to asynchronously invoke remote services (RPC) AMF 0, 3 - require Flash Player 9 AMF protocol specification is available (see references) Understanding AMF format is crucial for manipulating (fuzzing) applications that use AMF

AMF Format Description : 

8 AMF Format Description Version: 0, 3 Header(s): Header Name Data: Serialized data (binary) Message(s): Target URI: Service name/Response result Response URI: /id Data: Serialized data (binary)

AMF Example : 

9 AMF Example Request (raw format) Request (decoded) Response (decoded)

Challenges of Crawling Flash : 

10 Challenges of Crawling Flash In order to properly test Flash/Flex-based applications, we have to crawl them Detect server-side end-points (new URLs) Detect client-side states and logic (Flash Application tree) We must play the Flash movie in its “native” context Flash movie runs in the original HTML page Browser - include JavaScript engine (for JSFlash interaction) Use Flash Player plug-in We must support dynamic content too (where script creates content on the fly), parsing is not enough!

Challenges of Crawling Flash (Cont.) : 

11 Challenges of Crawling Flash (Cont.) States in Flash application Navigation in Flash application Blind Crawling (soundless, no pop-ups, no visuals) Support inline movie too Since Flash Player is designed only to play movies, its programming interface is limited

State Management in Flash applications : 

12 State Management in Flash applications Flash Applications are primarily based on animation. We encounter the following issues: How do we identify/define “application state”? How do we get the current state? Figuring out that the current state is over/idle? We define “state” as “GUI Object” container, i.e. Movie Clips, Buttons & Text Fields Heuristics & Flash Plug-in gives us hints that the player is “idle”

Navigation in Flash Application : 

13 Navigation in Flash Application Navigate Flash application in its native flow still hard to define correct “functional flow” Build application tree (each node represents a state) Get current state details (GUI Objects( Activate each GUI object according to type: Button – click on it, move mouse over a button area. TextField – fill it in MovieClip – click on it Navigating between states through Flash Unfortunately, navigating back is not trivial We need to store and play sequences

Flash Application tree : 

14 Flash Application tree

Testing Flash Applications : 

15 Identify controlled Flash parameters: Query parameters (from HTML) http://domain/movie.swf?param1=value1 FlashVars (from HTML) <param name="FlashVars" value=“param1=value1"> Uninstantiated variables (from Action Script) getURL (clickTag,'_self') Locate potentially dangerous code: Where controlled Flash parameters are used inside PDNFs (getURL, loadMovie, loadVariables, etc.) Save sequences leading to potentially dangerous code Associate with parameter Testing Flash Applications

Testing Flash Applications (ctd.) : 

16 Testing Flash Applications (ctd.) Mutation - Inject values to the parameters XSS: parm1=javascript:window.open(‘http://my.site’) XSF: param2=www.evil.site/movie.swf Phishing: param3=www.my.site Validation Play relevant sequence belongs to mutated parameter Verify test results Browser events Action Script level

Testing AMF Parameters : 

17 Testing AMF Parameters Testing Server-side AMF-speaking end-points Using standard parameter tampering techniques on AMF message fields: XSS, SQLi, HTTP Response Splitting, Command Execution, Etc. Original Request Mutated Request

Overview of security risks in Flash/Flex applications : 

18 Overview of security risks in Flash/Flex applications XSS Through Flash Read & Write access to HTML page or javascript code XSF Read & Write access to SWF loader or HTML or javascript code Phishing Through Flash AMF Parameters XSS, SQLi Cross Domain Promiscuous Access Read & Write access to HTML page or javascript code

Recommendations : 

19 Recommendations HTML Code “allowNetworking” set to ‘internal’ “allowScriptAccess” set to ‘samedomain’ Perform data validation on variables sent to URL functions Refining access with “crossdomain.xml” Use fscommand or ExternalInterface.call Instead of "javascript:” Compiler settings: Compile Flash movie for Flash Player 8 or later Set Omit trace flag

References : 

20 References Creating more secure SWF web applications: http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Adobe Flash Player 9 Security: http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf AMF 0 Specification: http://download.macromedia.com/pub/labs/amf/amf0_spec_121207.pdf AMF 3 Specification: http://download.macromedia.com/pub/labs/amf/amf3_spec_121207.pdf Testing Flash Applications (Stefano Di Paola / OWASP): http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf

authorStream Live Help