[Owasp-kansascity] Flash shared objects
Fondekar, Kedar (Kansas City)
Kedar.Fondekar at fishnetsecurity.com
Tue Jan 16 14:30:55 EST 2007
Here is an easy read that I came across on the vulnerabilities in SiteKey Security.
"If the challenge was correctly answered, the server stores a bypass token so questions won't be asked
Cookie: PMData="PMV2AAhOQWNc(truncated);Expires=Wed, 09-May-2007 20:55:50 GMT;Path=/"
Flash shared object: PassMark="PMV2AAhOQWNc(truncated)"
Actual security comes from Flash Player's ban on (1) filesystem access by Internet scripts; and (2)
cross-site scripting. The overall safety of the SiteKey token is a function of Flash Player, operating
system and browser
security, which block access to local files. The token is reasonably safe if these things are working
Enable the "secure" flag on all cookies and set the "secure" option on persistent objects in Flash 8
and later versions (the "secure" option is new in Flash 8)"
Kedar Fondekar, CISSP
From: owasp-kansascity-bounces at lists.owasp.org [mailto:owasp-kansascity-bounces at lists.owasp.org] On
Behalf Of Ferguson, David (Kansas City)
Sent: Friday, January 12, 2007 11:09 AM
To: owasp-kansascity at lists.owasp.org
Subject: Re: [Owasp-kansascity] Flash shared objects
Well I downloaded the SolVE tool and used it to browse some shared objects (.sol files) on my
computer. Unfortunately, it errored out on some of them, including my Bank of America file (the tool
probably needs to be updated since it is from 2004). The BoA file is called PassMark.sol. From Ed's
email, I believe that is where BoA stores info to know whether or not you've accessed their site from
a particular computer. Interestingly, Vanguard recently adopted the same SiteKey functionality and I
see a file called PassMark.sol for them too.
(Hmm, I guess I just admitted I have BoA and Vanguard accounts. That's okay - I'm protected by
> -----Original Message-----
> From: owasp-kansascity-bounces at lists.owasp.org [mailto:owasp-kansascity-
> bounces at lists.owasp.org] On Behalf Of Ferguson, David (Kansas City)
> Sent: Thursday, January 11, 2007 2:57 PM
> To: owasp-kansascity at lists.owasp.org
> Subject: [Owasp-kansascity] Flash shared objects
> Ed Welsh recently sent this my way, so I'm forwarding it along. Is anyone using these
> shared objects
> in their development? Personally I did not even know these files existed, let alone they
> could be
> used to store interesting or potentially sensitive information.
> From: Welsh, Ed
> Sent: Wednesday, January 10, 2007 10:30 AM
> Subject: Flash Shared Objects
> Here is a new spot to check when information gathering a web application:
> C:\Documents and Settings\<username>\Application Data\Macromedia\Flash
> There is an object browser called "SolVe" on SourceForge. Many applications are
> using the Flash
> shared object model to store Flash "cookies" (up to 100K). Bank of America is putting
> the SiteKey
> info there when you authorize a PC for their site.
> Key points:
> - Clearing browser history, cookies, and cache does not clear Flash objects.
> - Many sites are not encrypting the contents.
> - At least one framework (dojo) is making this storage automatic for developers via
> object models.
> Owasp-kansascity mailing list
> Owasp-kansascity at lists.owasp.org
Owasp-kansascity mailing list
Owasp-kansascity at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-kansascity