OWASP Delhi Meeting Flash Vulnerabilities and Exploits

"Adobe Flash (previously called Shockwave Flash and Macromedia Flash) is a set of multimedia  software created by Macromedia   and currently developed and distributed by Adobe Systems  . Since its introduction in 1996, Flash has become a popular method for adding animation   and interactivity   to web pages; Flash is commonly used to create animation, advertisements , and various web page components, to integrate video into web pages, and more recently, to develop rich Internet applications  " Wikipedia.org

The above excerpt infer that this technology was initially envisioned only to present some graphic objects in a little more interactive manner. But as we know it today, FLASH has actually taken the position of being the top-most player installed on nearly every machine connected to the internet today.

The question arises that if Flash technology is so widely used, does FLASH applications share critical information? if Yes, are they properly secured?

The Answer is that the base architecture of FLASH technology did not had any security features!!. Security features were added as and when it was required. This leads us to a conclusion that there are and there shall be many flaws in FLASH whose exploitation are a matter of time only, and the Impact could be huge with 99% of world's computers using FLASH.

In this talk, Samrat will be discussing the security architecture as given by adobe to the FLASH technology and consequently will be focusing on client side attacks on FLASH applications. FLASH files can also be used in some other attacks which can be accomplished using FLASH in a very easy fashion, hence Samrat shall be discussing the advanced CSRF attack using FLASH files. Samrat will also discuss a new attack technique FPI- FLASH parameter injection, which was recently discovered. Extending his talk, he shall focus on systematic FLASH testing using SWF intruder by OWASP with a discussion on systematic FLASH testing methodology and common tools for FLASH assessments.