[WEB SECURITY] Sample XSS and Flash Web App

arian.evans arian.evans at anachronic.com
Thu Jun 1 12:37:57 EDT 2006

		FlashNavXSSGen 1.0 Final Release

1. Who in the world?

I cobbled several different sample applications together
for testing some of the various tools that claim to test
web applications for that elusive quality known as security.

We tested many tools, and many pieces of software; I myself
spent literally hundreds of hours across 4+ months building
a lab and testing, and never, ever, ever, want to do this again.

Over the course of the summer I'll be releasing some apps,
some advisories on existing software, and hopefully the scan
tool vendors will be updating/upgrading their products to
enhance detection abilities soon (some already have!).

2. Where in the world is Waldo?

FlashNavXSSGen is a synthetic app, which really should be
a module in SiteGenerator for someone who has the time:


(you have to be smarter than the browser & use >Save As>)

The Readme.20060531.txt has simple instructions. Please
note thanks for contributions & ideas to: Daniel Thompson,
Jake Reynolds, Jeremiah Grossman, Mark Belles, and probably
a lot of other folks too.

3. What in the world are you talking about?

There are two parts to this: Flash navigation and a mix
of static and dynamic pages. These are items I wanted to
test since the automated scan vendors had bullet points
claiming the abilities...even some of the network scanners:
+ Navigate SWF files
+ Find the hidden, trivial XSS my grandmother can execute
+ Identify patterns in page naming and brute force/increment/decrement

4. Who-oh, savior of the universe:

Flash: There are four main ways to pass nav in a SWF:
(1) hard coded within the SWF
(2) passed in as an initialization variable
(3) referenced in an XML config file
(4) called from another SWF.

I picked option #2 for my SWFs. I know nothing about SWF other
than reading the specification and the Eclipse plugins, talking
to some folks in the community (thanks!) and my friend Daniel
Thompson (good luck moving to hippy Seattle!). While it would be
useful information, I am unsure what the most "common" way of
making SWF file nav is....

5. XSStastic!: A theme park for all ages

XSS1: So I can't yet tell you which vendor's code this sample
app is mocking. By "mocking" in this case I mean both mimic
and poke fun at. However, early on I was ready to lambaste the
commercial warez these issues exist in, until we discovered
that NOT ONE scanning tool could IDENTIFY this very simple,
trivial, non-encoded XSS that exists IN THE REAL WORLD.

Another lesson as to why one benefits from adding human eyeballs
to your efforts. </false_sense_of_security>

XSS2: A colleague of mine, Jake Reynolds, once asked me why
you could create arbitrary parameters in ASP classic web apps
and have them persist (lacking a persistence mechanism like
.NET provides). He had found this behavior in a commercial
software package from a vendor who sells "security" widgets.

This ties back into our GET/POST debate on these very lists.
You see, going into code, it became obvious that a lazy way
of "persisting" user supplied data is to iterate the entire
session object and dump the whole thing into hidden form fields.
Which means you can convert POSTs to GETs, and means in many
cases you now have script injection attack vectors. Not to
mention god knows what other issues, depending on how those
strings are later used, or what they are parsed by.

6. Brute Force Fuzzing/E-Or-ing/Pattern Matching/Inference

Page Naming/Pattern matching: none of the automated tools
did anything interesting here (but wasn't expecting them
to either). I wanted to sort through some ideas on how to
analyze this, and those darn Sensepost guys beat me to the
punch and are releasing at BlackHat Vegas this year what
I had in mind to analyze these sorts of things (or so it
appears from their pre-release information). Darn them.

The results of much of the work will be in the new Hacking
Exposed Web Apps book coming out soon, and the rest will be
in the next OWASP Tools guide by yours truly, the first actual
non-PPT document, and probably my last stab at this.

It took way too much effort, I found some ridiculous bugs,
and I was constantly targeted for "free pen tests" by folks
here in the USA I cannot identify unless I chose to prosecute,
which doesn't interest me, since the attacks look like people
tuning automated tools.

Annoying, costly, unprofessional, but not worth prosecuting.

Yet. (I've passed my $100 restore threshold, whomever you are(s))

7. Email me questions, comments, confusions, and feedback.

If it's useful, let me know. This stuff helps me learn a lot,
but if no one else cares, I can reduce list spam by 42% by
not sending this sort of stuff out. :)

Arian J. Evans
+1.913.378.3571 [mobile]

"See? That was nothing. But that's how it always begins. Very small." -Egg

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list