Friday, March 2, 2018

intercepting messages from Flash, Java applet and Silverlight

Résultat de recherche d'images pour "Java applet and Silverlight"

Browser extension that technologies permit the execution of a code in a sandbox, It was used originally to provide simple improving on the presentation of the web application like creating animation or vivid contents , with much of flexibility and power these technologies provide developers used it to create full component and applications.

After all those components are used in the web pages and need to interact using the web protocols so exchanged information are transmitted over Http and usually in objects or complex structures. Attacker can compromise the messages exchanged with those extensions and refactor it. 

Main target of the attack is to initiate attacks like SQL injection, buffer overflow or manipulate parameters to have application related gain. Attack requirement 
  •  Extension interacts with server through Http
  •  No special encryption is used to preserve messages confidentiality. 

Attack process

1. Capture the request initiated by the page using a proxy like Burp.
2. Depending on the type of extension use the right deciphering method to unpack the message sent.

  •  Java applets use Java serialization which can be deciphered using aplugin on Burp (JDSer).
  •  As for Flash it normally uses (AMF Action Message Format) whichis supported by default by Burp.
  •  Silver light uses (WFC windows communications foundation) andSOAP (NBFS) message format that can be deciphered using a plugin named (WCF Binary Soap Plug-In) by (labs@gdssecurity.com)

3. A special tab will show the object content sent in the ciphered message.
4. Alter the message as requested and forward the request.
5. Capture the response and see deciphered contents. 
  

Decompile Flash, Java applet and Silverlight

  This attack depends on disclosing the business logic executed in a browser extension like Java applet, Flash or Silverlight component Java applets and SWF file contains bytecode that can be decompiled to recover the original source through tools like JAD for java applet, Flare for flash and Telerik Just Decompiler for Silverlight XAP files. (software are available in supplementary materials)

Attack requirement 

  •  Targeted functionality fully executed on the client side. 
  •  Low complexity of application bytecode. 

Attack process

 1. use Flare, JAD or Telerik decompiler depending on the type of component. The result will be ActionScript source for Flare or Java for JAD. 
2. review the source to identify any attack points that will enable you to reengineer the Flash object and bypass any controls implemented within it. 
3. modify the decompiled source to change the behavior of the applet, recompile it to bytecode, and modify the source code of the HTML page to load the modified applet in place of the original. 

0 comments: