|
ArticleFlashSecurity
Introduction to Flash security
Flash is a broadly-deployed technology, but its security controls are still in their infancy. Unfortunately, both web applications using Flash and web applications not using Flash are affected by insecure design of Adobe's Flash Player. This section discusses some important pitfalls to watch out for when developing Flash applications, when hosting user-submitted .swf files, and when interacting with Flash applications hosted on other sites. A brief look at the Flash security modelBy default the security model for Flash is similar to the Same Origin Policy. Flash can only read responses from requests from the same domain where the Flash application originated. Flash also places some security around making HTTP requests, but one can usually make cross domain GET requests via Flash's getURL() function. Also, Flash does not allow Flash applications that are loaded over HTTP to read HTTPS responses. Flash does allow cross-domain communication, if a security policy on the other domain permits communication with the domain where the Flash application resides. The security policy is an XML file, usually named crossdomain.xml and located in the root directory of the other domain. The worst policy file from a security perspective looks something like this: <cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>The above policy allows any Flash application to communicate (cross-domain) with the server hosting this crossdomain.xml file. Despite the naming convention, the policy file can reside at any URL, with any name, in any directory. A Flash application can load an arbitrary security policy file with one line of ActionScript: System.security.loadPolicyFile(“http://www.google.com/crossdomain.xml”); If it is not in the server's root directory, then the policy only applies to the directory that the policy file is in and all its subdirectories. For instance, say policy file was located in http://www.example.com/sub/crossdomain.xml. Then the policy would apply to requests like http://www.example.com/sub/stuff.html and http://www.example.com/sub/more/stuff.html, but not to pages like http://www.example.com/ or http://www.example.com/admin/. XSS via Flash applicationsThe most common cause of XSS is that a vulnerable server does not validate user input, so an attacker can inject HTML that includes malicious JavaScript. However, XSS can also occur through client-side Flash applications, if user input within the Flash application is not properly validated. Finding XSS in Flash applications is arguably easier than on web applications because attackers can decompile Flash applications and find security issues in the source code, rather than blindly testing server side web applications. Further reading |
Sign in to add a comment
The asfunction: protocol was restricted to only being supported within HTML text fields with the Flash Player 9,0,115,0 release (http://www.adobe.com/support/security/bulletins/apsb07-20.html). However, it is still a best practice validate all URLs before supplying them to any networking API.
test
For ActionScript? developers and auditors, there is an Adobe article on Creating more secure SWF web applications: http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html
For doing input validation, there is a Google Code project called Flash Validators which has data validation libraries: http://code.google.com/p/flash-validators/
There are also security chapters within the Flash Documentation. For ActionScript? 3.0 developers: http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9b90204-7d23.html
For ActionScript? 2.0 developers: http://help.adobe.com/en_US/AS2LCR/Flash_10.0/00000449.html
Adobe implemented stricter controls for interpreting cross-domain policy files within the 9,0,124,0 release of Flash Player to address these types of attacks.
http://www.adobe.com/support/security/bulletins/apsb08-11.html http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_02.html
Also, Adobe Flash Player can recognize mime-types returned by the server. It is one of the choices that a developer has when specifying a meta-policy within the cross-domain policy file. Please see the "by-content-type" meta-policy option within the following article:
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_03.html
I also have identified an "issue" with Adobe's security model, one which I didn't find out until long after I'd released an open-source project which was unfortunately vulnerable to it.
I discuss that "vulnerability" here: http://www.flensed.com/fresh/2008/08/adobe-flash-player-security-hole/
In that blog posting, I identify the two main ways this security short-coming can cause problems for server admins and content authors. I also explain the code work-around that I put into my project (flXHR -- http://flxhr.flensed.com/ ) which addresses that hole.
After reading this article, I can say that my code work-around also effectively plugs the vulnerabilities described here, because it forces a text response, and it enforces a much stricter format on the file (namely that it must be XML well-formed).
While my code currently only applies my workaround policy checking algorithm in a specific subset of cases relevant to the hole I was addressing (where the page-domain and the swf-domain differ), I could quite easily remove that check and my code would effectively "plug" up a good portion of the vulnerabilities to the security file parsing as pointed out in this post.
Thanks for bringing this to light... it's very important and intriguing to examine.
http://www.80vul.com/flash/Flash-getURL-XSS-attacks.htm
The full Flash Player 10 security model is documented here: http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html
Adobe also announces upcoming and recent changes to the security model via the security section of the Adobe Developer Center: http://www.adobe.com/devnet/flashplayer/security.html