cure53 / flashbang Goto Github PK

SWF : http://dev.sencha.com/deploy/dev/resources/charts.swf

till : I think I vaguely remember that this has to do with the order in which things get added to the stage vs their constructor being run

Person to contact : tobytailor

it told me to report a bug in the thing, i tried to run the first Achievement Unlocked in the thing and it popped up with an error. idk why it did that, but it did. pls fix

Flashbang will need a rough outline for a first API. Something like:

Flashbang.load()
Flashbang.scan()
Flashbang.info()
Flashbang.close()

We need to think who this could look like and what we want to do in the early alpha.

Decompiled source - Here

This is to ensure that if swf tries to parse parameters from url our flashVars still work. Detection of flashVars is complex in this case though.

loaderInfo._url has to be tampered : Help

P.S: Think of something for detection, may be we can proxy the calls of _url

I've uploaded the file here:
https://ufile.io/e6f

You can try it by opening the file in your browser and adding "?clickTAG=http://www.example.com" to the end of the URL.

Now click the image, and http://www.example.com will open in a new tab.

Here is the SWF file.
https://github.com/umbraco/Starterkits/blob/master/Overflow/Overflow/umbraco/Dashboard/Swfs/AIRInstallBadge.swf

Open it like this for example: AIRInstallBadge.swf?str_error=I am so vulnerable!&str_err_params=Click here for XSS!

We need an overall of ten to fifteen vulnerable (to XSS) Flash files to show them to the Shumway team. Ideally we have them in a folder - each embedded in HTML with a button to trigger the vulnerability.

We need bugs that exploit vulnerabilities in as many different Flash/AS methods as possible. Further, some of the bugs should be requiring user interaction to be exploited, others should be exploitable without user interaction.

This step is important before we re-connect with the Shumway team. They basically will use this input to understand, what APIs we would need.

We need the following enhancements to make Flashbang be more usable:

• Communicate that currently only Chrome works well
• Add a "close SWF" button
• Add a "rerun analysis" button
• Add a spinner / progress indicator
• Implement a console.log that logs into a <textarea>

Issue :

Fix :

Might be already fixed in 'nat'

So, inturn flashbang will not work

Bug : Here

Hey Cure53 Team,

Awesome work! Thanks a ton... My issue is with the specific SWF at https://www.sc.com/sg/personal-banking/investment/online-trading-tour/main.swf

It's not being reversed... Am I missing anything here?

Thanks,
Kiran

What is the problem, please?

Decompiled source : Here

The call is "YUI.applyTo" is not happening :O

• Using shumway, all the FlashVars for a given flash file have to be collected

If some extra information about variables is available during this stage, which can be leveraged to guess the type of variables then it will be useful

I got inconsistent results scanning this swf. RIght now it seems to only detect FlashVars but no sinks. Initially it wasn't detecting anything.

Link to swf
https://docs.google.com/file/d/0B-4ZVWytXXbCbVJfcmZZaEFtbVU

Vulnerability overview:
zeroclipboard/zeroclipboard#14

Issue :

Even though ExternalInterface is mocked, swfupload checks for some classes here of which FileReferenceListClass doesn't have a native.

Fix :

It seems, that this is fixed in nat branch.

Heya,

strangely, in this file, Flashbang cannot see the Flashvars. It needs to be noted, that other decompilers and tools have similar issues.

http://s3.amazonaws.com/avlidienbrunn/wheres_the_xss.swf

Can we specify what is happening here?

Cheers,
.mario

We need to think what features we would like to present - and how a very early UI could look like. All Flashbang features should be available as API, the early UI draft should respect this.

http://globalassets.starbucks.com/static/media/goalsandprogress/exploreTheStore.swf

Uncaught TypeError: Cannot read property 'props' of undefined
at Object.addTimelineChild [as _addTimelineChild]

This swf file will break the runtime of flashbang

• Inability to scroll horizontally incase of long lines of text in trace terminal
• If possible one raw version and one interpreted version of the data ending up in sinks