Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash"

from [Amit Klein (AKsecurity)] Network Security [Permanent Link]
Subject: Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash"
Date: Thu, 27 Jul 2006 07:52:04 +0200 
On 26 Jul 2006 at 22:43, 3CO wrote:


FYI Flash9 added a new property for object and embed tags to prevent
this technique from being used: "allowNetworking":
http://livedocs.macromedia.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00001590.html

That page doesn't explicitly list LoadVars as being disallowed, but I
just tested, and it is true.



The way I understand that help page, allowNetworking is part of the 
OBJECT/EMBED tag. Now,
keep in mind that in the attack vectors described in my paper, the victim 
user/browser
visits a malicious site (e.g. by clicking a malicious link), so the way Flash 
is invoked
is completely controlled by the attacker (either the attacker provides the 
Flash object 
directly, by a link ending with ".swf", or the attacker provides a link to an 
HTML page
containing an OBJECT/EMBED tag). And the attacker would surely not include the 
allowNetworking attribute in his/her page ;-)


For instance, Myspace has added that to all embed tags to prevent fun
from occurring.



That's a different story. MySpace faces a much more complex situation, wherein 
the attacker
may very well be a user in MySpace allowed to upload HTML pages and Flash 
objects/links to
MySpace. In MySpace's context, allowNetworking may be more relevant.


Great paper though (as usual); thanks.



Thanks for reading :-)

-Amit
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  a6mambohelpdesk Mambo Component <= 18RC1 Remote Include Vulnerability, Dr . Jr7
Next by Date:  GeoClassifieds Enterprise <= 2.0.5.2 Cross Site Scripting, securityconnection
Previous by Thread:  Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash", 3CO
Next by Thread:  SQuery v.x (devi.php) (armygame.php) Remote File Inclusion, saudi . unix
Indexes:  [Date] [Thread] [Top] [All Lists]