|
WebApp Sec
mailing list archives
RE: Crawl And interpret Flash files redux
From: "arian.evans" <arian.evans () anachronic com>
Date: Tue, 21 Feb 2006 17:15:58 -0600
Thanks, a friend hooked me up with flasm right after
I sent the list request. :) I created some SWFs that
handle URLs in different ways, but the default way
(which I thought all the tools would parse) is to
pass in relative URLs through initialization variables.
Pure text, relative paths, pretty simple, but no auto
webappsec tool I can find parses this correctly. I'll
publish the SWFs & XSS generator pages after our BlackHat
demo, and get that into SiteGenerator templates as well.
In the meantime, here are some Flash/SWF resources if
anyone else wants to create/test parsing these type
of files:
http://www.osflash.org/projectsetup
http://www.mtasc.org/
http://potapenko.com/flashout/
http://flasm.sourceforge.net/
For Eclipse, Action Script Development Tool:
ASDT now has an update site that be used in the Software Configuration
Manager in Eclipse. This make it easier to update the plugin because Eclipse
can handle the download/install for you and let you know if a new version is
available. To set up the update site, use the following steps:
* Open the Help menu, and select Software Updates -> Find and Install
* Select "Search for new features to install" and select Next
* Click the "New Remote Site" button. Use "ASDT" as the name, and
"http://aseclipseplugin.sourceforge.net/updates/"; as the URL (minus the
quotes, of course)
* Expand the ASDT node that was added to the tree, and select
Actionscript Development Tool
-ae
"See? That was nothing. But that's how it always begins. Very small." -Egg
Shen
-----Original Message-----
From: dp [mailto:diopollon () gmail com]
Sent: Monday, February 20, 2006 4:02 AM
To: arian.evans () anachronic com
Cc: webappsec () securityfocus com
Subject: Re: Crawl And interpret Flash files redux
Arian,
could be useful to use flasm ... http://flasm.sourceforge.net
arian.evans wrote:
Does anyone know of a good flash parsing/extraction
utilities for manual swf analysis?
I too am having a real problem finding something that
actually does this effectively. (besides, you know,
the eyeball/hand/mouse widget set)
-ae
-----Original Message-----
From: arian.evans [mailto:arian.evans () anachronic com]
Sent: Wednesday, February 15, 2006 8:26 AM
To: lists () dawes za net; webappsec () securityfocus com
Subject: RE: Crawl And interpret Flash files
-----Original Message-----
From: Rogan Dawes [mailto:discard () dawes za net]
Sent: Wednesday, February 15, 2006 6:21 AM
tester () mytrashmail com wrote:
Hi,
I'm looking for a way to auto Crawl And interpret Flash
files i'm writing a crawler that should support this
AFAIK, Metis has/had a flash parser in its spider library.
Rogan
Thanks, I was curious how this was done.
fwiw// I've been testing all the commercial scanners again
and since most of them list "flash" as a bullet point, I made
a couple of SWF files to represent varying complexity of
vector-based navigation (from completely flat w/links to
several layers of rendering).
I can't find a single webappsec tool that automatically
extracts the links and navigates SWFs properly, if at all.
This could *entirely* be the result of my having improperly
designed SWFs, since I won't claim to know what I am doing
with the format.
I will be releasing everything to the public for scrutiny,
-ae
--------------------------------------------------------------
-----------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with
real-world
examples of recent hacking methods such as: SQL Injection,
Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
--------------------------------------------------------------
------------
--------------------------------------------------------------
-----------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection,
Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
--------------------------------------------------------------
------------
--------------------------------------------------------------
-----------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
--------------------------------------------------------------
------------
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
