Paid Advertising
web application security lab
« Content Restrictions - A Call For Input
Firefox Remote Variable Leakage »

More Port Scanning - This Time in Flash

A few weeks ago fukami showed me a sample application he had written in Flash to do port scanning. It was actually really good, and accurate. It’s probably a preferred method, if the target uses flash since it’s pretty fast. He asked me to wait to post until after he had released it, and he has now done so. Please check out his demo and writeup here. You’ll need both JS and Flash enabled.

The basic premise is the error handler for the socket control can be used to detect raw sockets that are open. It also doesn’t seem to have restrictions against testing localhost, and not the server it’s hosted on, which is a pretty bad cross domain issue. He recommends downgrading flash to 8 and/or using Flash only on trusted sites (which is only helpful if the site isn’t vulnerable to XSS). Great demo, and nice work by fukami!

This entry was posted on Saturday, August 11th, 2007 at 7:57 am and is filed under XSS, Webappsec. You can leave a response as well.

4 Responses to “More Port Scanning - This Time in Flash”

  1. Darkster Says:
    August 11th, 2007 at 9:05 am

    It’s a bit scary to see what’s possible. Nevertheless this is app is awesom :)

  2. Giorgio Maone Says:
    August 11th, 2007 at 10:30 am

    “Using Flash only on trusted sites (which is only helpful if the site isn’t vulnerable to XSS)”

    By “using Flash only on trusted sites” you may either mean using FlashBlock or NoScript.

    If you’re using FlashBlock you’re not safe, because code execution is not reliably prevented (you’re just ensured you won’t see the movie).

    If you’re using NoScript to block Flash (NoScript Options|Advanced|Untrusted), you’ve got protection against reflective XSS, so “it’s helpful unless the trusted site is vulnerable to PERSISTENT XSS”.

    Furthermore, you can additionally enable the “noscript.contentBlocker” behavior ( http://noscript.net/features#contentblocking ): Flash content will be blocked by default even on “trusted” sites, until you explicitly enable each applet by clicking on it, after being notified about its origin.

  3. h3xStream Says:
    August 13th, 2007 at 10:16 am

    @Giorgio Maone
    FlashBlock isn’t only hidding flash object ..
    it does load any until you manually activate them.

  4. Giorgio Maone Says:
    August 13th, 2007 at 11:02 am

    @h3xStream:
    you’re right, I’ve just tested it.
    Many thanks for the pointer :)

Respond here or Discuss On the Forums