[Owasp-antisamy] Toward safe Flash filtering -- dealing with "param" tags

Erik downward_machine at yahoo.com
Wed Sep 16 21:50:10 EDT 2009


I've got AntiSamy configured to filter out bad Flash embeds, such that we allow videos from a bunch of sites (YouTube, Vimeo, Hulu, etc) but not from any other source. It works in most cases, but due to how AS works, it doesn't work for all embed codes.

It works well for embeds of the form (from Ustream):

<embed
	flashvars="loc=%2F&amp;autoplay=false&amp;vid=2161728&amp;hid=17959&amp;disabledComment=true&amp;beginPercent=0.1215&amp;endPercent=0.2651"
	width="480" height="386" allowfullscreen="true"
	allowscriptaccess="always"
	src="http://www.ustream.tv/flash/video/2161728"
	type="application/x-shockwave-flash" />

Where there is a clear "embed" tag in which there are data attributes -- you simply add the appropriate attribute elements to your tag elements in your policy file. However, you sometimes see a combination of object and embed tags, like this one from YouTube:

<object width="560" height="340">
	<param name="movie"
		value="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"></param>
	<param name="allowFullScreen" value="true"></param>
	<param name="allowscriptaccess" value="always"></param>
	<embed src="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"
		type="application/x-shockwave-flash" allowscriptaccess="always"
		allowfullscreen="true" width="560" height="340"></embed></object>

Note the "param" tags. AS has no way (AFAIK) of vetting the "value" attributes against the specified param "name". Thus I just filter out the "param" tags completely. It is necessary because we are seeing (actual!) attacks like the following (with mildly obfuscated URL): 

<object width="100%" height="100%"
	data="http://www.sheltersquadxxx.com/caqo.swf"
	type="application/x-shockwave-flash">
	<param name="src" value="http://www.sheltersquadxxx.com/caqo.swf" />
</object>

Clearly the "param" tag has got to go if we cannot examine it. This isn't a problem for YouTube, whose resulting embed looks like this:

<object height="340" width="560">
  <embed allowfullscreen="true" allowscriptaccess="always" height="340"
    src="http://www.youtube.com/v/IyAyd4WnvhU&amp;hl=en&amp;fs=1&amp;"
    type="application/x-shockwave-flash" width="560" /></object>

And it still works, because of redundant data in the "embed" tag. But say we try the same with a video from Cracked:

<object type="application/x-shockwave-flash"
	data="http://cdn-i.dmdentertainment.com/DMVideoPlayer/player.swf"
	id="player" height="379" width="608">
	<param name="allowScriptAccess" value="always" />
	<param name="allowFullScreen" value="true" />
	<param name="movie"
		value="http://cdn-i.dmdentertainment.com/DMVideoPlayer/player.swf" />
	<param name="wmode" value="transparent" />
	<param name="flashVars"
	
	value="TITLE=8%20Local%20News%20Segments%20Gone%20Horribly%20Wrong&demand_show_replay=true&ID=17779&demand_content_id=17779&demand_related=1&demand_page_url=http%3A//www.cracked.com/video_17779_8-local-news-segments-gone-horribly-wrong.html&demand_related_feed=http%3A//www.cracked.com/relatedvideo_17779_8-local-news-segments-gone-horribly-wrong.xml&v=2.2.0&DESC=&demand_preroll=true&video_title=8%20Local%20News%20Segments%20Gone%20Horribly%20Wrong&demand_preroll_source=http%3A//cdn-www.cracked.com/sites/cracked2/images/videoplayer/Pre-Roll1b.swf&KEYWORDS=&adPartner=Adap&demand_iconurl=http%3A//cdn-www.cracked.com/sites/cracked2/images/favicon.gif&COMPANION_DIV_ID=adaptv_ad_companion_div&demand_autoplay=0&KEY=DemandMediacracked&demand_icontext=Watch%20more%20videos%20at%20Cracked.com%2C%20America%27s%20only%20humor%20site.&demand_iconlink=http%3A//www.cracked.com/&height=37&CATEGORIES=Entertainment%2CNews%2CLifestyle&sitename=Cracked.com&demand_report_ur
l=http%3A//www.cracked.com/update.aspx&URL=http%3A//cdn-i.dmdentertainment.com/funpages/cms_content/17779/video_17779_608x342.flv&demand_content_sourcekey=cracked.com&skin=http%3A//cdn-i.dmdentertainment.com/DMVideoPlayer/playerskin.swf&source=http%3A//cdn-i.dmdentertainment.com/funpages/cms_content/17779/video_17779_608x342.flv" />
</object>

(Sorry for the long flashVars there.) It has no "embed" tag -- all its data was wrapped up in that "flashVars" param tag -- so after the filter it turns into:

  <object
    data="http://cdn-i.dmdentertainment.com/DMVideoPlayer/player.swf"
    height="379" id="player" type="application/x-shockwave-flash" width="608" />

Broken. However, I've discovered a relatively simple fix. Rather than complexifying AS by enabling it to filter "param" tags, I've found that if I move the data from the "param" tags into the "object" tag as attribute/value pairs, the embed still works and AS can filter it. The resulting "object" tag should (handwritten here) look like:

<object type="application/x-shockwave-flash"
	data="http://cdn-i.dmdentertainment.com/DMVideoPlayer/player.swf"
	id="player" height="379" width="608" allowScriptAccess="always" allowFullScreen="true"
	movie="http://cdn-i.dmdentertainment.com/DMVideoPlayer/player.swf"
	wmode="transparent"
	flashVars="TITLE=8%20Local%20News%20Segments%20Gone%20Horribly%20Wrong&demand_show_replay=true&ID=17779&demand_content_id=17779&demand_related=1&demand_page_url=http%3A//www.cracked.com/video_17779_8-local-news-segments-gone-horribly-wrong.html&demand_related_feed=http%3A//www.cracked.com/relatedvideo_17779_8-local-news-segments-gone-horribly-wrong.xml&v=2.2.0&DESC=&demand_preroll=true&video_title=8%20Local%20News%20Segments%20Gone%20Horribly%20Wrong&demand_preroll_source=http%3A//cdn-www.cracked.com/sites/cracked2/images/videoplayer/Pre-Roll1b.swf&KEYWORDS=&adPartner=Adap&demand_iconurl=http%3A//cdn-www.cracked.com/sites/cracked2/images/favicon.gif&COMPANION_DIV_ID=adaptv_ad_companion_div&demand_autoplay=0&KEY=DemandMediacracked&demand_icontext=Watch%20more%20videos%20at%20Cracked.com%2C%20America%27s%20only%20humor%20site.&demand_iconlink=http%3A//www.cracked.com/&height=37&CATEGORIES=Entertainment%2CNews%2CLifestyle&sitename=Cracked.com&demand_repor
t_url=http%3A//www.cracked.com/update.aspx&URL=http%3A//cdn-i.dmdentertainment.com/funpages/cms_content/17779/video_17779_608x342.flv&demand_content_sourcekey=cracked.com&skin=http%3A//cdn-i.dmdentertainment.com/DMVideoPlayer/playerskin.swf&source=http%3A//cdn-i.dmdentertainment.com/funpages/cms_content/17779/video_17779_608x342.flv" />
</object>

I haven't written the code to do this data conversion, but I'm familiar with the internals from my work on implementing nofollowAnchors, so I'm certain I can do it. Is anyone interested?

--Erik Innocent



More information about the Owasp-antisamy mailing list