Home page logo

dailydave logo Dailydave mailing list archives

From: Dave Aitel <dave () immunityinc com>
Date: Thu, 13 Nov 2008 18:19:27 -0500

Hash: SHA1

Some web sites are secure. It's annoying, but it's the way it is with
modern libraries and web application packs.  However, even on web
sites that are fundamentally strong, sometimes the random third party
things they use interacts with a web browser in a way they can't hope
to inspect. Flash is a key example.

Although it's not mentioned anywhere clearly that I can see, IE and
Firefox treat SWF files somewhat differently. If you browse to
http://www.example.com/bob.swf?a=b in IE, it will render it. If you do
the same in Firefox, it will download the swf file. People make
oblique comments about IFrames being able to force Firefox to behave
like IE, but I don't think it works.

IE behaving like this makes some poorly coded Flash (ActionScript 2)
movies vulnerable to cross site scripting. Lots of web sites provide
Flash movies as "Demos" of their product. To the web developer, these
are just images they serve up. To the hacker, they're full blown
applications to decompile (thanks flare!) and attack. SWFIntruder,
while very good work, is not a magic button to get your XSS found and
fixed, fortunately for those of us in the assessment business this
week. :>

So even when your website itself is completely secure, the interaction
between your website and the browser is often not, which is a funny
thing. This is one of the things that was discussed during the panel
(we tried to make it fun!) in Chicago last week but it's good to see
it in practice.

- -dave

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Dailydave mailing list
Dailydave () lists immunitysec com

  By Date           By Thread  

Current thread:
  • Flashy. Dave Aitel (Nov 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]