Hopefully, this simple demo illustrated the potential problems that can arise from poorly configured cross-domain policies and the reliance on client-side input validation. Now I could force to load the “paypal_money_hack” video (or any other of my choosing) by using the following URL: I set up a server (for the purposes of the demo I’ll call it localhost) with a sub-domain of, where I hosted the above *_config.xml file in the document root along with the following unrestricted crossdomain.xml file: Now I just needed to host this *_config.xml file on a server under my control with a path that could pass the flawed regex filter. I updated the file attribute in the *_config.xml file to point to this new video: Since PayPal was the target, I decided to go with a video advertising a “PayPal Money Hack” hosted on an arbitrary, external media site: flv video that is supposed to be loaded which I’ll change to another video of my choosing. Note the chapter file attribute identifies the. The downloaded config file contained the following: public static const ALLOWED_DOMAINS:Array = +:)?/īut where is this “XML config” file that dictates which video will be loaded (and which URL will be passed to the validation function)? For that we have to return to the *_config.xml file referenced in the original URL: The array has multiple regular expressions (each for a different, authorized domain) but all of them suffer from the same validation problem, so I’ll only list one of them below. The one that caught my eye was public static const ALLOWED_DOMAINS, an array of regular expressions intended to limit the domains from which flash media content can be loaded. One of the nice features of JPEXS is the “Traits” window which provides a quick glimpse into the variables declared within a given script. While browsing the “scripts folder” I came across the “ApplicationFacade” script: swf file and opened it in my flash decompiler of choice ( ). This definitely sparked my interest enough to warrant further investigation. Notice the relative path to the *_config.xml file (more on this shortly). #Jpexs free flash decompiler doesnt work with big files fullThe full path to the file was as follows (it has since been removed): One of the files I came across was pp_demo_player.swf which played a demonstration video on some features of their Mastercard. I knew it was a big user of flash content so I figured I’d start by seeing what type of hosted. In this particular case, I was conducting a little experiment on bug bounty programs and had shifted my attention to Paypal. Although the resulting exploit was nothing to write home about, I think it once again highlights why input validation (especially client-side) is never a sufficient stand-alone control, especially when it comes to restricting cross-domain access of flash content. The real-world example I am able to give today is a simple cross-domain validation flaw I found in one of Paypal’s hosted flash files*. The problem with this blacklist-style approach is it must consider every possible permutation of input, and not surprisingly, usually falls short. I’ve seen some really creative input validation approaches, including very complex regex or other “clever” filtering approaches, most of which are designed to “outsmart” the attacker. using it in conjunction with other, more effective controls (such as output encoding, parameterized queries, etc). Quite frankly, it often requires much more effort to try and develop an input validation function that is considered comprehensive enough to use as a stand-alone control vs. While a good supplemental control, by itself input validation is usually woefully inadequate. I’ve talked about relying on input validation as a prevention mechanism before (see here and item #8 here) but since it’s such a prevalent problem I figured I’d take the time to write about it once again. Insufficient input validation is a problem I encounter practically every time I test an application.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |