[Owasp-kansascity] Flash shared objects

Fondekar, Kedar (Kansas City) Kedar.Fondekar at fishnetsecurity.com
Tue Jan 16 14:30:55 EST 2007


Here is an easy read that I came across on the vulnerabilities in SiteKey Security.

http://cr-labs.com/publications/SiteKey-20060718.pdf

......

"If the challenge was correctly answered, the server stores a bypass token so questions won't be asked
again:

Cookie: PMData="PMV2AAhOQWNc(truncated);Expires=Wed, 09-May-2007 20:55:50 GMT;Path=/"
Flash shared object: PassMark="PMV2AAhOQWNc(truncated)"

...

Actual security comes from Flash Player's ban on (1) filesystem access by Internet scripts; and (2)
cross-site scripting. The overall safety of the SiteKey token is a function of Flash Player, operating
system and browser
security, which block access to local files. The token is reasonably safe if these things are working
correctly.

...

Enable the "secure" flag on all cookies and set the "secure" option on persistent objects in Flash 8
and later versions (the "secure" option is new in Flash 8)"


Kedar Fondekar, CISSP
 
 

-----Original Message-----
From: owasp-kansascity-bounces at lists.owasp.org [mailto:owasp-kansascity-bounces at lists.owasp.org] On
Behalf Of Ferguson, David (Kansas City)
Sent: Friday, January 12, 2007 11:09 AM
To: owasp-kansascity at lists.owasp.org
Subject: Re: [Owasp-kansascity] Flash shared objects

Well I downloaded the SolVE tool and used it to browse some shared objects (.sol files) on my
computer.  Unfortunately, it errored out on some of them, including my Bank of America file (the tool
probably needs to be updated since it is from 2004).  The BoA file is called PassMark.sol.  From Ed's
email, I believe that is where BoA stores info to know whether or not you've accessed their site from
a particular computer.  Interestingly, Vanguard recently adopted the same SiteKey functionality and I
see a file called PassMark.sol for them too.  
(Hmm, I guess I just admitted I have BoA and Vanguard accounts.  That's okay - I'm protected by
SiteKey!)

> -----Original Message-----
> From: owasp-kansascity-bounces at lists.owasp.org [mailto:owasp-kansascity-
> bounces at lists.owasp.org] On Behalf Of Ferguson, David (Kansas City)
> Sent: Thursday, January 11, 2007 2:57 PM
> To: owasp-kansascity at lists.owasp.org
> Subject: [Owasp-kansascity] Flash shared objects
> 
> Ed Welsh recently sent this my way, so I'm forwarding it along.  Is anyone using these
> shared objects
> in their development?  Personally I did not even know these files existed, let alone they
> could be
> used to store interesting or potentially sensitive information.
> 
> Dave
> 
> ________________________________________
> From: Welsh, Ed
> Sent: Wednesday, January 10, 2007 10:30 AM
> Subject: Flash Shared Objects
> 
> Here is a new spot to check when information gathering a web application:
> 
> C:\Documents and Settings\<username>\Application Data\Macromedia\Flash
> Player\#SharedObjects
> 
> There is an object browser called "SolVe" on SourceForge.  Many applications are
> using the Flash
> shared object model to store Flash "cookies" (up to 100K).  Bank of America is putting
> the SiteKey
> info there when you authorize a PC for their site.
> 
> Key points:
> 
> - Clearing browser history, cookies, and cache does not clear Flash objects.
> - Many sites are not encrypting the contents.
> - At least one framework (dojo) is making this storage automatic for developers via
> object models.
> 
> _______________________________________________
> Owasp-kansascity mailing list
> Owasp-kansascity at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-kansascity
_______________________________________________
Owasp-kansascity mailing list
Owasp-kansascity at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-kansascity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-kansascity/attachments/20070116/031d2806/attachment.html 


More information about the Owasp-kansascity mailing list