Articles
From FlashSec
| Contents | Articles/Papers/Talks | CVE | Advisories | Adobe Advisories | Specs/Adobe Docs |
[edit] Wiki articles
- getURL Issues
- Simple AS3 Decompiler Using Tamarin
- Arbitrary HTTP Requests
- Overwriting Global Variables
[edit] Articles
[edit] 2009
- HD Moore: Fuzzing Flash For Fun (ASNative)
[edit] 2008
- Bas: You can only sit down if you are a human being
- BeF: Playing hide and seek in a flash
- Nicolas Cannasse: Virtual Memory API
- Nicolas Cannasse: Adobe Alchemy
- Marian Radu (Microsoft Malware Protection Center): SWF for Malware Deployment
- guya.net: Malicious camera spying using ClickJacking
- RSnake: Clickjacking Details
- Ory Segal: Flash Parameter Injection
- Ory Segal: Automated Crawling & Security Testing of Flash/Flex Web Applications
- Jeremiah Grossman: I used to know what you watched, on YouTube
- guya.net: Encapsulating CSRF attacks inside massively distributed Flash movies - Real world example
- guya.net: Bug in Internet Explorer security model when embedding Flash, Encapsulating CSRF attacks inside massively distributed Flash movies - Real world example
- Chris Thornton: Clipboard Virus? Not exactly, but still dangerous.
- Sowhat (XFocus): Flashblock Bypass
- David Lenoe (Adobe PSIRT): More information on recent Flash Player exploit
- Adrien de Beaupré (ISC): Another example of malicious SWF
- Steven Adair (shadowserver) When Adobe Flash Attacks
- Paul Oliveria (Trend Micro): [Targeted Attack in Mexico, Part 2: Yet Another Drive-By Pharming]
- Dancho Danchev: Malware Attack Exploiting Flash Zero Day Vulnerability
- Rob Hensing (Microsoft) @ Bluehat blog: The battle for the (browser) your PC
- Thomas Ptacek (Matasano): About Mark Dowds Flash bytecode attack (PDF) - This New Vulnerability: Dowd’s Inhuman Flash Exploit, Dowd’s Flash Report: What Have We Learned?
- Rob: Flash DNS Rebinding Attack Explained
- Gnucitizen: Cross-site file upload attacks
- БЭФ블로그: Erlang-based SWF Decompiler (SWF in a nutshell and the malware tragedy, Erlang unscrables SWF)
- Gnucitizen: Using Flash for hacking UPnP (Hacking The Interwebs, Flash UPnP attack FAQ)
- Sandi Hardmeier: Heise.de hit by malicious banner advertisement
- Rich Cannings: XSS Vulnerabilities in Common Shockwave Flash Files
[edit] 2007
- Adobe Knowledge Base: Socket connection timing can reveal information about network configuration (Flash Player)
- William Salusky (SANS) Malvertising
- Sean: Malicious Banner Ad
- Adrian Pastor and Amir Azam (ProCheckUp) PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method
- Dynamoo: Malware-scan.com / Newbieadguide.com hijacking Yourmusic.com banner ads
- sirdarckcat: Universal youtube mods XSS explained in 7 steps
- Giorgio Maone: Cross-Browser Proxy Unmasking
- Billy (BK) Rios: Cross Domain Hole Caused By Google Docs
- David Neu and fukami: Design flaw in AS3 socket handling allows port probing
- Alex (kuza55): Exploiting reflected XSS vulnerabilities, where user input must come through HTTP Request Headers
- Raymond: How to Cheat and Hack Flash based Games
[edit] 2006
- Stefan Esser: Poking new holes with Flash Crossdomain Policy Files
- Gnucitizen: Backdooring Flash Objects
- Kanatoko Anvil: Anti-DNS Pinning + Socket in Flash
- Guasconi Vincent (French): DNS Rebinding et Flash
- Amit Klein (SecuriTeam): Forging HTTP Request Headers with Flash ActionScript
- Julien Couvreur: FlashXMLHttpRequest: Cross-Domain Requests, Cross-domain AJAX using Flash, Cross Domain Example with Flash 8
[edit] 2004
- Eric Lin: How to protect SWFs from decompilers?
[edit] 2003
[edit] 2002
- Eyeonsecurity: Bypassing JavaScript Filters – the Flash! Attack
[edit] Talks
- Ronen Bachar: Automated Crawling & Security Testing of Flash/Flex Web Applications
- Scott Petersen: FlaCC - Flash CCompiler (2008 LLVM Developers' Meeting)
- Paul Theriault: The detection and analysis of Flash based malware (OWASP Australia 2008)
- Stefano di Paola: Finding Vulnerabilities in Flash Applications (OWASP/WASC San Jose 2007)
- Deneb Meketa: Flash Security: Why and How (MAX 2007)
- fukami: Testing and exploiting Flash applications (CCCamp 2007)
- Thai N. Duong: Zombilizing the web browser via Flash Player 9 (VNSECON07 talk)
- Stefano di Paola: Flash Application Testing: A New Vector for XSS and Cross Site Flashing (OWASP Milano)
[edit] Papers
- Yuval Baror, Ayal Yogev, Adi Sharabani: Flash Parameter Injection
- BeF and fukami: SWF and the Malware Tragedy
- Mark Dowd: Application-Specific Attacks: Leveraging the ActionScript Virtual Machine
[edit] Writeups
- Security on AIR: Local file access through JavaScript
- Adobe Shockwave ShockwaveVersion() Stack Overflow
| Contents | Articles/Papers/Talks | CVE | Advisories | Adobe Advisories | Specs/Adobe Docs |
