1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
197 198<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Cross-Site Flashing<br />
Cross-Site Flashing (XSF) is a vulnerability which has a similar impact<br />
as XSS.<br />
XSF Occurs when from different domains:<br />
• One Movie loads another Movie with loadMovie* functions or other<br />
hacks and has access to the same sandbox or part of it<br />
• XSF could also occurs when an HTML page uses JavaScript to command<br />
an Adobe Flash movie, for example, by calling:<br />
• GetVariable: access to flash public and static object from JavaScript<br />
as a string.<br />
• SetVariable: set a static or public flash object to a new string value<br />
from JavaScript.<br />
• Unexpected Browser to SWF communication could result in stealing<br />
data from the SWF application.<br />
It could be performed by forcing a flawed SWF to load an external<br />
evil flash file. This attack could result in XSS or in the modification<br />
of the GUI in order to fool a user to insert credentials on a fake flash<br />
form. XSF could be used in the presence of Flash HTML Injection or<br />
external SWF files when loadMovie* methods are used.<br />
Open redirectors<br />
SWFs have the capability to navigate the browser. If the SWF takes<br />
the destination in as a FlashVar, then the SWF may be used as an<br />
open redirector. An open redirector is any piece of website functionality<br />
on a trusted website that an attacker can use to redirect the<br />
end-user to a malicious website. These are frequently used within<br />
phishing attacks. Similar to cross-site scripting, the attack involves a<br />
user clicking on a malicious link.<br />
In the Flash case, the malicious URL might look like:<br />
http:/trusted.example.org/trusted.swf?getURLValue=http:/<br />
www.evil-spoofing-website.org/phishEndUsers.html<br />
In the above example, an end-user might see the URL begins with<br />
their favorite trusted website and click on it. The link would load the<br />
trusted SWF which takes the getURLValue and provides it to an ActionScript<br />
browser navigation call:<br />
getURL(_root.getURLValue,”_self”);<br />
This would navigate the browser to the malicious URL provided by<br />
the attacker. At this point, the phisher has successfully leveraged the<br />
trusted the user has in trusted.example.org to trick the user into their<br />
malicious website. From their, they could launch a 0-day, conduct<br />
spoofing of the original website, or any other type of attack. SWFs<br />
may unintentionally be acting as an open-redirector on the website.<br />
Developers should avoid taking full URLs as FlashVars. If they only<br />
plan to navigate within their own website, then they should use relative<br />
URLs or verify that the URL begins with a trusted domain and<br />
protocol.<br />
Attacks and Flash Player Version<br />
Since May 2007, three new versions of Flash player were released by<br />
Adobe. Every new version restricts some of the attacks previously<br />
described.<br />
Attack<br />
Player Version<br />
v9.0 r47/48<br />
v9.0 r115<br />
v9.0 r124<br />
asfunction<br />
Yes<br />
No<br />
No<br />
ExternalInterface<br />
Yes<br />
Yes<br />
Yes<br />
Result Expected:<br />
Cross-Site Scripting and Cross-Site Flashing are the expected results<br />
on a flawed SWF file.<br />
Tools<br />
• Adobe SWF Investigator: http://labs.adobe.com/technologies/<br />
swfinvestigator/<br />
• SWFScan: http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/bap/5440167<br />
• SWFIntruder: https://www.owasp.org/index.php/Category:SWFIntruder<br />
• Decompiler – Flare: http://www.nowrap.de/flare.html<br />
• Compiler – MTASC: http://www.mtasc.org/<br />
GetURL<br />
Yes<br />
Yes<br />
Yes<br />
• Disassembler – Flasm: http://flasm.sourceforge.net/<br />
Html Injection<br />
Yes<br />
Yes<br />
Partially<br />
• Swfmill – Convert Swf to XML and vice versa: http://swfmill.org/<br />
• Debugger Version of Flash Plugin/Player: http://www.adobe.com/<br />
support/flash/downloads.html<br />
References<br />
OWASP<br />
• OWASP Flash Security Project: The OWASP Flash Security project<br />
has even more references than what is listed below: http://www.<br />
owasp.org/index.php/Category:OWASP_Flash_Security_Project<br />
Whitepapers<br />
• Testing Flash Applications: A new attack vector for XSS and<br />
XSFlashing: http://www.owasp.org/images/8/8c/OWASPAppSec-<br />
2007Milan_TestingFlashApplications.ppt<br />
• Finding Vulnerabilities in Flash Applications: http://www.owasp.<br />
org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt<br />
• Adobe security updates with Flash Player 9,0,124,0 to reduce<br />
cross-site attacks: http://www.adobe.com/devnet/flashplayer/<br />
articles/flash_player9_security_update.html<br />
• Securing SWF Applications: http://www.adobe.com/devnet/<br />
flashplayer/articles/secure_swf_apps.html<br />
• The Flash Player Development Center Security Section: http://<br />
www.adobe.com/devnet/flashplayer/security.html<br />
• The Flash Player 10.0 Security Whitepaper: http://www.adobe.<br />
com/devnet/flashplayer/articles/flash_player10_security_wp.html<br />
Testing for Clickjacking (OTG-CLIENT-009)<br />
Summary<br />
“Clickjacking” (which is a subset of the “UI redressing”) is a malicious<br />
technique that consists of deceiving a web user into interacting (in<br />
most cases by clicking) with something different to what the user<br />
believes they are interacting with. This type of attack, that can be<br />
used alone or in combination with other attacks, could potentially<br />
send unauthorized commands or reveal confidential information<br />
while the victim is interacting on seemingly harmless web pages.<br />
The term “Clickjacking” was coined by Jeremiah Grossman and Robert<br />
Hansen in 2008.<br />
A Clickjacking attack uses seemingly innocuous features of HTML<br />
and Javascript to force the victim to perform undesired actions, such<br />
as clicking on a button that appears to perform another operation.<br />
This is a “client side” security issue that affects a variety of browsers<br />
and platforms.<br />
To carry out this type of technique the attacker has to create a seemingly<br />
harmless web page that loads the target application through<br />
the use of an iframe (suitably concealed through the use of CSS<br />
code). Once this is done, the attacker could induce the victim to interact<br />
with his fictitious web page by other means (like for example<br />
social engineering). Like others attacks, an usual prerequisite is that<br />
the victim is authenticated against the attacker’s target website.<br />
Once the victim is surfing on the fictitious web page, he thinks that<br />
he is interacting with the visible user interface, but effectively he<br />
is performing actions on the hidden page. Since the hidden page is<br />
an authentic page, the attacker can deceive users into performing<br />
actions which they never intended to perform through an “ad hoc”<br />
positioning of the elements in the web page.<br />
The power of this method is due to the fact that the actions performed<br />
by the victim are originated from the authentic target web<br />
page (hidden but authentic). Consequently some of the anti-CSRF<br />
protections, that are deployed by the developers to protect the web<br />
page from CSRF attacks, could be bypassed.<br />
How to Test<br />
As mentioned above, this type of attack is often designed to allow<br />
an attacker site to induce user’s actions on the target site even if anti-CSRF<br />
tokens are being used. So it’s important, like for the CSRF<br />
attack, to individuate web pages of the target site that it take input<br />
from the user.<br />
We have to discover if the website that we are testing has no protections<br />
against clickjacking attacks or, if the developers have implemented<br />
some forms of protection, if these techniques are liable to<br />
bypass. Once we know that the website is vulnerable, we can create<br />
a “proof of concept” to exploit the vulnerability.<br />
The first step to discover if a website is vulnerable, is to check if the<br />
target web page could be loaded into an iframe. To do this you need<br />
to create a simple web page that includes a frame containing the<br />
target web page. The HTML code to create this testing web page is<br />
displayed in the following snippet:<br />
<br />
<br />
Clickjack test page<br />
<br />
<br />
Website is vulnerable to clickjacking!<br />
<br />
<br />
<br />
Result Expected: If you can see both the text “Website is vulnerable<br />
to clickjacking!” at the top of the page and your target web page<br />
successfully loaded into the frame, then your site is vulnerable and<br />
has no type of protection against Clickjacking attacks. Now you can<br />
directly create a “proof of concept” to demonstrate that an attacker<br />
could exploit this vulnerability.<br />
Bypass Clickjacking protection:<br />
In case in which you only see the target site or the text “Website is<br />
vulnerable to clickjacking!” but nothing in the iframe this mean that<br />
the target probably has some form of protection against clickjacking.<br />
It’s important to note that this isn’t a guarantee that the page is totally<br />
immune to clickjacking.<br />
Methods to protect a web page from clickjacking can be divided in<br />
two macro-categories:<br />
• Client side protection: Frame Busting<br />
• Server side protection: X-Frame-Options<br />
In some circumstances, every single type of defense could be bypassed.<br />
Following are presented the main methods of protection<br />
from these attacks and techniques to bypass them.