WebApp Sec mailing list archives
RE: Crawl And interpret Flash files redux
From: "arian.evans" <arian.evans () anachronic com>
Date: Tue, 21 Feb 2006 17:15:58 -0600
Thanks, a friend hooked me up with flasm right after I sent the list request. :) I created some SWFs that handle URLs in different ways, but the default way (which I thought all the tools would parse) is to pass in relative URLs through initialization variables. Pure text, relative paths, pretty simple, but no auto webappsec tool I can find parses this correctly. I'll publish the SWFs & XSS generator pages after our BlackHat demo, and get that into SiteGenerator templates as well. In the meantime, here are some Flash/SWF resources if anyone else wants to create/test parsing these type of files: http://www.osflash.org/projectsetup http://www.mtasc.org/ http://potapenko.com/flashout/ http://flasm.sourceforge.net/ For Eclipse, Action Script Development Tool: ASDT now has an update site that be used in the Software Configuration Manager in Eclipse. This make it easier to update the plugin because Eclipse can handle the download/install for you and let you know if a new version is available. To set up the update site, use the following steps: * Open the Help menu, and select Software Updates -> Find and Install * Select "Search for new features to install" and select Next * Click the "New Remote Site" button. Use "ASDT" as the name, and "http://aseclipseplugin.sourceforge.net/updates/" as the URL (minus the quotes, of course) * Expand the ASDT node that was added to the tree, and select Actionscript Development Tool -ae "See? That was nothing. But that's how it always begins. Very small." -Egg Shen
-----Original Message----- From: dp [mailto:diopollon () gmail com] Sent: Monday, February 20, 2006 4:02 AM To: arian.evans () anachronic com Cc: webappsec () securityfocus com Subject: Re: Crawl And interpret Flash files redux Arian, could be useful to use flasm ... http://flasm.sourceforge.net arian.evans wrote:Does anyone know of a good flash parsing/extraction utilities for manual swf analysis? I too am having a real problem finding something that actually does this effectively. (besides, you know, the eyeball/hand/mouse widget set) -ae-----Original Message----- From: arian.evans [mailto:arian.evans () anachronic com] Sent: Wednesday, February 15, 2006 8:26 AM To: lists () dawes za net; webappsec () securityfocus com Subject: RE: Crawl And interpret Flash files-----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] Sent: Wednesday, February 15, 2006 6:21 AM tester () mytrashmail com wrote:Hi, I'm looking for a way to auto Crawl And interpret Flashfiles i'm writing a crawler that should support this AFAIK, Metis has/had a flash parser in its spider library. RoganThanks, I was curious how this was done. fwiw// I've been testing all the commercial scanners again and since most of them list "flash" as a bullet point, I made a couple of SWF files to represent varying complexity of vector-based navigation (from completely flat w/links to several layers of rendering). I can't find a single webappsec tool that automatically extracts the links and navigates SWFs properly, if at all. This could *entirely* be the result of my having improperly designed SWFs, since I won't claim to know what I am doing with the format. I will be releasing everything to the public for scrutiny, -ae -------------------------------------------------------------- ----------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks withreal-worldexamples of recent hacking methods such as: SQL Injection,Cross SiteScripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013 00000003gRl -------------------------------------------------------------- -------------------------------------------------------------------------- -----------This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection,Cross SiteScripting and Parameter Manipulationhttps://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
-------------------------------------------------------------- -------------------------------------------------------------------------- ----------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
-------------------------------------------------------------- ------------
------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Crawl And interpret Flash files tester (Feb 15)
- Re: Crawl And interpret Flash files Rogan Dawes (Feb 15)
- RE: Crawl And interpret Flash files arian.evans (Feb 16)
- RE: Crawl And interpret Flash files redux arian.evans (Feb 18)
- Re: Crawl And interpret Flash files redux dp (Feb 20)
- RE: Crawl And interpret Flash files redux arian.evans (Feb 21)
- RE: Crawl And interpret Flash files arian.evans (Feb 16)
- Re: Crawl And interpret Flash files Rogan Dawes (Feb 15)