In this first & last cooperation post I decided to discuss on flash (swfs) attacks, yes we know these topics maybe closed and no new event have been caused. but my experience proved it’s too important in web app pen testing discussion. After all it is so interesting than a flash object on AMF over SOAP or a logo in a side of website that redounded to inject a parameter o run an script on server. Step by step we turnover this attacks and all kind of them with a little difference. At the following picture you can understand what is my idea and how flash Apps works .

Proce of Compiling Flash in Browser

Swf objects can execute & loaded from direct in locationbar or <IFRAME> or <FRAME> tag .When we write or make a banner which designed with flash MX or other third-party we should used ActionScripting for inset of objects like buttons or area map on our  projects this scripting like other ones maybe have some vulnerability or weeknesses because the structure and based of AS (actionscript) is on ESMAscript (javascript too) and sometimes use multimedia natively Also we can use Shared object “ that explain at this post ‘end’ ”designed to allow storage of data like cookies but better that. in Flash applications some ways are there for input parameters:

1: URL-QueryString[GET] i.e

/FlashMovie.swf?p1=[value]&p2=[value]

2: Famous FlashVars attributes i.e

<param  value="p1=[value]&p2=[value]">

At this example we :

if (_root.snoop == undefined) {
_root.snoop = 0; // Default value
}

In this simple script above “that you see several when researching about this kind of attacks” we know every variable is an object  & every movie can access the timeline by using “_root object” when allowed by security policies and this global variables are accessible by using  global.variables.  now we see snoop global  variable have equal by 0 at the default so like HTTP parameter pollution from Stefano Di-Paola we can use it:

http://vulnerable.com/vulnFlash.swf?snoop=[everything]

in this method we can have a direct attack and use a weak vulnerable to execute every value that attacker want.next simple method use FlashVars attribute (sometimes internal XML) between objects tag.see the the follow example:

<body>
<object data="FlashMovie.swf"
flashvars="p1=[value]&p2=[value]" width="200" height="400">
</object>
</body>

Or

<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase="http://macromedia.com/cabs/swflash.cab#version=6,0,0,0"
ID=flaMovie WIDTH=250 HEIGHT=250>
<PARAM VALUE="flaMovie.swf">
<PARAM VALUE="userName=permadi&score=80">
<PARAM VALUE=medium>
<PARAM VALUE=#99CC33>
<EMBED src="flaMovie.swf"
FlashVars="userName=permadi&score=80"
  bgcolor=#99CC33 WIDTH=250 HEIGHT=250
TYPE="application/x-shockwave-flash">
</EMBED>
</OBJECT>

About the definition of FlashVar is A Flash answer to Query Strings, data passed to flashvars is simple like:  username ,cookie value, filenames and … so this is important something like passwords should never passed via flashvars. You can see the flashvars in source section of your browser. As I told when you enumerate flash movie name or global variables which used to a web app this is true to say your website is vulnerable in flash parameter injection. In flashvars injection discuss you can see the following CGI-script that dynamically set the width & height attributes.

# flash movie
print '<object ' .
'data="FlashMoive.swf" ' .
'width="' . $params{width} .
'" height="' . $params{height} .
'"></object>';
#..........

So in this method width and height parameter have been sent on html output file without any Disinfection. So if we outfit an URL like :

http://URL/myMovie.cgi?width=100&height=200"FlashVars="Global_Variable=[evil parameters]

can be boom your web app.i forgot to say it, if you want to see flash internal structure is too easy to download arbitrary swf file and decompile it with some software like: Flasm ‘as you acquaintance with it in Wahh’ , SWFmill , Flare or direct for vuln scan use SWFscan form HP.

As I told nutshell before, around shared objects that sometimes referred to as flash cookies.in the follow we have an example of stroing data:

// A New shared object
mySharedObject = SharedObject.getLocal("sharedObjectName");
// Storing data
mySharedObject.data.name = "jsmith";
mySharedObject.data.homepage = "http://demo.testfire.net";
// Flush
mySharedObject.flush();

an in this following we have a snipped code that load data from shared objects:

// a new shared object or read an existing one
mySharedObject = SharedObject.getLocal("sharedObjectName");
// Check whether variable name exists
if (mySharedObject.data.name == null)
{
// Shared object doesn't exist
}
else
{
// Read the name
name = mySharedObject.data.name;
// Read the homepage
homepage = mySharedObject.data.homepage;
}

Okay, sometimes we have a piece of code contain PDNF (potentially dangerous native functions) which save and store any data entered by user at future so this vulnerability called persistent Flash parameter injection. Here is a code that vulnerable to PFPI:

// Create a new shared object or read an existing one
mySharedObject = SharedObject.getLocal("flashToLoad");
if (_root.flashfile == undefined)
{
// Check whether there is a shared object saved
if (mySharedObject.data.flash == null)
{
// Set a default value
_root.flashfile = "defaultFlash.swf";
}
else
{
// Read the flash file to load from the shared object
_root.flashfile = mySharedObject.data.flash;
}
}
// Store the flash file's name in the shared object
mySharedObject.data.flash = _root.flashfile;
// Load the flash file
getURL(_root.flashfile);

now in this flash file at the section of _root.flashfile = “defaultFlash.swf”; we have an PDNF that occurs PFPI like:

flashfile=javascript:alert(document.domain)

thanks for your mood with reading this obfuscated paperwork. These wrote was the fruit of some PPT and pdf that roads. If my English was poor and bad please accept it, this isn’t my primary Language,anyway,if you find any mistake,comment or email it.

[Alireza]Rout3rx__