TestingFlashApplications.ppt

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * PDNF – Flv Metadata Editors There is a number of free and commercial tools for editing flv files: flvtool2: Ruby FLV Editor /projects/flvtool2/ Perl package FLVInfo: Perl Package FLV Editor  /~CDOLAN/FLV-Info-0.18/ FLV Metadata Injector: Windows FLV Editor /flvmdi/ JAMFProxy: Java Flash Remoting Proxy and FLV Editor (to be released) http://www.wisec.it  * PDNF – Flv Metadata Injection When a flv file is loaded there is an event handler called `onMetadata` which parses metadata and gives access to the objects it represents. Some of the things an attacker could do with Metadata is  the injection of html tags on specific parameters on custom implementations:onMetadata = function(metaobject) {  my_text.htmlText = DataRate = + metaobject.videodatarate; }; * PDNF – Flv Metadata Injection For example, usually videodatarate is a number object ... * PDNF – Flv Metadata Injection But as types are checked only at compile time, videodatarate could be changed to a string: Type Change Value Change * PDNF – Flv Metadata Injection Result Resulting in a XSS via FLV Metadata * PDNF – Music Players Several mp3 Flash players are used on the web. ID Tags are commonly used in mp3 in order to set  information about: Music Genre Author Title ... If an mp3 file could be loaded from an malicious location then ID3 could be used to control some data flow. * PDNF – Mp3 ID3 Data As with onMetadata there exists an event handler called `onID3`:onID3 = function() {  my_text.htmlText = this.id3.author; }; * Some Advanced Hacks - 1/4 Dom Injection on firefox #: Firefox Flash plugin parses everything in the query string, even after the sharp.  http://host/flawed.swf?#blah=blahpar1=val1par2=val2 This means that nothing after the sharp goes to the server but parameters and values are parsed and instantiated by the plug