[Owasp-kansascity] Flash shared objects

Ferguson, David (Kansas City) Dave.Ferguson at fishnetsecurity.com
Thu Jan 11 15:57:29 EST 2007

Ed Welsh recently sent this my way, so I'm forwarding it along.  Is anyone using these shared objects
in their development?  Personally I did not even know these files existed, let alone they could be
used to store interesting or potentially sensitive information.


From: Welsh, Ed 
Sent: Wednesday, January 10, 2007 10:30 AM
Subject: Flash Shared Objects

Here is a new spot to check when information gathering a web application: 
C:\Documents and Settings\<username>\Application Data\Macromedia\Flash Player\#SharedObjects
There is an object browser called "SolVe" on SourceForge.  Many applications are using the Flash
shared object model to store Flash "cookies" (up to 100K).  Bank of America is putting the SiteKey
info there when you authorize a PC for their site.
Key points:
- Clearing browser history, cookies, and cache does not clear Flash objects.
- Many sites are not encrypting the contents.
- At least one framework (dojo) is making this storage automatic for developers via object models.

More information about the Owasp-kansascity mailing list