WebApp Sec mailing list archives
Sample XSS and Flash Web App
From: "arian.evans" <arian.evans () anachronic com>
Date: Thu, 1 Jun 2006 11:37:57 -0500
============================================================ FlashNavXSSGen 1.0 Final Release ============================================================ 1. Who in the world? I cobbled several different sample applications together for testing some of the various tools that claim to test web applications for that elusive quality known as security. We tested many tools, and many pieces of software; I myself spent literally hundreds of hours across 4+ months building a lab and testing, and never, ever, ever, want to do this again. Over the course of the summer I'll be releasing some apps, some advisories on existing software, and hopefully the scan tool vendors will be updating/upgrading their products to enhance detection abilities soon (some already have!). --- 2. Where in the world is Waldo? FlashNavXSSGen is a synthetic app, which really should be a module in SiteGenerator for someone who has the time: http://www.anachronic.com/modules.php?op=modload&name=Downloads&file=index&r eq=getit&lid=5 (you have to be smarter than the browser & use >Save As>) The Readme.20060531.txt has simple instructions. Please note thanks for contributions & ideas to: Daniel Thompson, Jake Reynolds, Jeremiah Grossman, Mark Belles, and probably a lot of other folks too. --- 3. What in the world are you talking about? There are two parts to this: Flash navigation and a mix of static and dynamic pages. These are items I wanted to test since the automated scan vendors had bullet points claiming the abilities...even some of the network scanners: + Navigate SWF files + Find the hidden, trivial XSS my grandmother can execute + Identify patterns in page naming and brute force/increment/decrement --- 4. Who-oh, savior of the universe: Flash: There are four main ways to pass nav in a SWF: (1) hard coded within the SWF (2) passed in as an initialization variable (3) referenced in an XML config file (4) called from another SWF. I picked option #2 for my SWFs. I know nothing about SWF other than reading the specification and the Eclipse plugins, talking to some folks in the community (thanks!) and my friend Daniel Thompson (good luck moving to hippy Seattle!). While it would be useful information, I am unsure what the most "common" way of making SWF file nav is.... --- 5. XSStastic!: A theme park for all ages XSS1: So I can't yet tell you which vendor's code this sample app is mocking. By "mocking" in this case I mean both mimic and poke fun at. However, early on I was ready to lambaste the commercial warez these issues exist in, until we discovered that NOT ONE scanning tool could IDENTIFY this very simple, trivial, non-encoded XSS that exists IN THE REAL WORLD. Another lesson as to why one benefits from adding human eyeballs to your efforts. </false_sense_of_security> XSS2: A colleague of mine, Jake Reynolds, once asked me why you could create arbitrary parameters in ASP classic web apps and have them persist (lacking a persistence mechanism like .NET provides). He had found this behavior in a commercial software package from a vendor who sells "security" widgets. This ties back into our GET/POST debate on these very lists. You see, going into code, it became obvious that a lazy way of "persisting" user supplied data is to iterate the entire session object and dump the whole thing into hidden form fields. Which means you can convert POSTs to GETs, and means in many cases you now have script injection attack vectors. Not to mention god knows what other issues, depending on how those strings are later used, or what they are parsed by. --- 6. Brute Force Fuzzing/E-Or-ing/Pattern Matching/Inference Page Naming/Pattern matching: none of the automated tools did anything interesting here (but wasn't expecting them to either). I wanted to sort through some ideas on how to analyze this, and those darn Sensepost guys beat me to the punch and are releasing at BlackHat Vegas this year what I had in mind to analyze these sorts of things (or so it appears from their pre-release information). Darn them. The results of much of the work will be in the new Hacking Exposed Web Apps book coming out soon, and the rest will be in the next OWASP Tools guide by yours truly, the first actual non-PPT document, and probably my last stab at this. It took way too much effort, I found some ridiculous bugs, and I was constantly targeted for "free pen tests" by folks here in the USA I cannot identify unless I chose to prosecute, which doesn't interest me, since the attacks look like people tuning automated tools. Annoying, costly, unprofessional, but not worth prosecuting. Yet. (I've passed my $100 restore threshold, whomever you are(s)) --- 7. Email me questions, comments, confusions, and feedback. If it's useful, let me know. This stuff helps me learn a lot, but if no one else cares, I can reduce list spam by 42% by not sending this sort of stuff out. :) Arian J. Evans +1.913.378.3571 [mobile] "See? That was nothing. But that's how it always begins. Very small." -Egg Shen ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive and consolidated remediation task lists at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- Sample XSS and Flash Web App arian.evans (Jun 02)