RE: Crawl And interpret Flash files redux

Thanks, a friend hooked me up with flasm right after
I sent the list request. :) I created some SWFs that
handle URLs in different ways, but the default way
(which I thought all the tools would parse) is to
pass in relative URLs through initialization variables.

Pure text, relative paths, pretty simple, but no auto
webappsec tool I can find parses this correctly. I'll
publish the SWFs & XSS generator pages after our BlackHat
demo, and get that into SiteGenerator templates as well.

In the meantime, here are some Flash/SWF resources if
anyone else wants to create/test parsing these type
of files:

http://www.osflash.org/projectsetup
http://www.mtasc.org/
http://potapenko.com/flashout/
http://flasm.sourceforge.net/

For Eclipse, Action Script Development Tool:

ASDT now has an update site that be used in the Software Configuration
Manager in Eclipse. This make it easier to update the plugin because Eclipse
can handle the download/install for you and let you know if a new version is
available. To set up the update site, use the following steps:

    * Open the Help menu, and select Software Updates -> Find and Install
    * Select "Search for new features to install" and select Next
    * Click the "New Remote Site" button. Use "ASDT" as the name, and
"http://aseclipseplugin.sourceforge.net/updates/"; as the URL (minus the
quotes, of course)
    * Expand the ASDT node that was added to the tree, and select
Actionscript Development Tool

-ae

"See? That was nothing. But that's how it always begins. Very small." -Egg
Shen




> -----Original Message-----
> From: dp [mailto:diopollon@gmail.com] 
> Sent: Monday, February 20, 2006 4:02 AM
> To: arian.evans@anachronic.com
> Cc: webappsec@securityfocus.com
> Subject: Re: Crawl And interpret Flash files redux
>
> Arian,
> could be useful to use flasm ...  http://flasm.sourceforge.net
>
> arian.evans wrote:
> > Does anyone know of a good flash parsing/extraction
> > utilities for manual swf analysis?
> >
> > I too am having a real problem finding something that
> > actually does this effectively. (besides, you know,
> > the eyeball/hand/mouse widget set)
> >
> > -ae
> >
> > > -----Original Message-----
> > > From: arian.evans [mailto:arian.evans@anachronic.com] 
> > > Sent: Wednesday, February 15, 2006 8:26 AM
> > > To: lists@dawes.za.net; webappsec@securityfocus.com
> > > Subject: RE: Crawl And interpret Flash files
> > >
> > >  
> > > > -----Original Message-----
> > > > From: Rogan Dawes [mailto:discard@dawes.za.net] 
> > > > Sent: Wednesday, February 15, 2006 6:21 AM
> > > >
> > > > tester@mytrashmail.com wrote:
> > > > > Hi, 
> > > > >
> > > > > I'm looking for a way to auto Crawl And interpret Flash 
> > > > files i'm writing a crawler that should support this 
> > > >
> > > > AFAIK, Metis has/had a flash parser in its spider library.
> > > >
> > > > Rogan
> > > Thanks, I was curious how this was done.
> > >
> > > fwiw// I've been testing all the commercial scanners again
> > > and since most of them list "flash" as a bullet point, I made
> > > a couple of SWF files to represent varying complexity of
> > > vector-based navigation (from completely flat w/links to
> > > several layers of rendering).
> > >
> > > I can't find a single webappsec tool that automatically
> > > extracts the links and navigates SWFs properly, if at all.
> > >
> > > This could *entirely* be the result of my having improperly
> > > designed SWFs, since I won't claim to know what I am doing
> > > with the format.
> > >
> > > I will be releasing everything to the public for scrutiny,
> > >
> > > -ae
> > >
> > >
> > >
> > >
> > >
> > > --------------------------------------------------------------
> > > -----------
> > > This List Sponsored by: SpiDynamics
> > >
> > > ALERT: "How A Hacker Launches A Web Application Attack!" 
> > > Step-by-Step - SPI Dynamics White Paper
> > > Learn how to defend against Web Application Attacks with 
> real-world 
> > > examples of recent hacking methods such as: SQL Injection, 
> Cross Site 
> > > Scripting and Parameter Manipulation
> > >
> > > https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
> > > 00000003gRl
> > > --------------------------------------------------------------
> > > ------------
> --------------------------------------------------------------
> -----------
> > This List Sponsored by: SpiDynamics
> >
> > ALERT: "How A Hacker Launches A Web Application Attack!" 
> > Step-by-Step - SPI Dynamics White Paper
> > Learn how to defend against Web Application Attacks with real-world 
> > examples of recent hacking methods such as: SQL Injection, 
> Cross Site 
> > Scripting and Parameter Manipulation
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
> >
> --------------------------------------------------------------
> ------------
> >
>
>
> --------------------------------------------------------------
> -----------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!" 
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with real-world 
> examples of recent hacking methods such as: SQL Injection, Cross Site 
> Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
> --------------------------------------------------------------
> ------------


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------